Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Cloudfront (with WAF) + API Gateway: how to force access through Cloudfront?

Tags:

amazon-web-services

aws-api-gateway

amazon-cloudfront

amazon-waf

I want to put WAF in front of API Gateway, and with the (little) info I find that is only possible by manually putting an extra Cloudfront distribution with WAF enabled, in front of APIG. It's a bit of a shame, especially since APIG now supports custom domains natively, but it should work.

Now to make the solution secure rather than just obscure, I want to enforce that the APIs can only be accessed through the Cloudfront distro. What is the best option to do this?

  • I was hoping to be able to use the 'Origin Access Identities' similar as for S3, but don't see how to do that.
  • If I could assign an IAM User (or role?) to the Cloudfront distro, I could use APIG IAM feature, but I don't see how this can be done.
  • I could require an API key in APIG, and pass it as a Origin Custom Header from Cloudfront. That could work, as long as we don't want to use API keys for some other purpose, so I'm not entirely happy about that.
  • A dummy (!) custom authorizer could be used, with the Token validation expression actually checking a secret that is passed as an Origin Custom Header from Cloudfront. Should work, it's more flexible, but a bit dirty... or not?

Any better ideas? Or perhaps "the right way" to do it exists but I overlooked it?

like image 322
Free Willaert Avatar asked Apr 14 '17 13:04

Free Willaert

People also ask

Can CloudFront connect to API gateway?

If your API clients are geographically dispersed, consider using an edge-optimized API endpoint in API Gateway. This type of endpoint acts as a Regional endpoint with an AWS managed CloudFront web distribution to improve client connection time.

Can we attach WAF to CloudFront?

Using Firewall Manager, you can roll out AWS WAF rules to your CloudFront distributions across accounts in AWS Organizations. For more information, see the AWS Firewall Manager Developer Guide. To use the Amazon Web Services Documentation, Javascript must be enabled.

1 Answers

I am from API Gateway.

Unfortunately, the best solution we have as of now is, to inject an origin custom header in CloudFront and validate that in a custom authorizer (option 4 in your question).

We are already aware of this limitation and not-so-great workaround. We are looking to provide better WAF integration in future, but we do not have an ETA.

like image 96
Balaji Avatar answered Sep 21 '22 17:09

Balaji
Sign in to Comment

Related questions

AWS S3 RoutingRule with wildcard condition
Can't access Amazon SQS - InvalidClientTokenId
EC2 autoscaling does not put name (tag) on servers
Amazon EC2 ELB alarm - which instance is unhealthy?
How do I submit more than one job to Hadoop in a step using the Elastic MapReduce API?
AWS AppSync - rate limiting?
Amazon Transcribe Streaming API without SDK
How to fix PG::DuplicatePstatement: ERROR?
Is it safe to show the AWS cognito pool ID in my html?
Client side JS (e.g. AngularJS) + Django REST Backend: Deploy onto single PaaS?
Is it possible to automatically delete objects older than 10 minutes in AWS S3?
Can I set a hard limit on my AWS spend? [duplicate]
CloudFormation Resource Creation if not exist
Concat MP3/media audio files on amazon S3 server
How do I restore RDS snapshot into a cloudformation?
Elastic Beanstalk Docker with Amazon CloudWatch
Raw body payload in AWS API Gateway Body Mapping Template
AWS IoT MQTT over WebSocket Protocol
CloudFormation IAM Role -- AssumeRolePolicyDocument
Athena create table from parquet schema

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!