Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to set quota for CORS preflight requests with AWS API Gateway

Tags:

cors

amazon-web-services

aws-api-gateway

I'm building a serverless application with AWS Lambda and API Gateway. In order to prevent DDOS attacks doing a large number of requests costing me lots of money, I've set up a usage plan with a request quota (e.g. 10K requests/month). This requires an API key to be passed as header by callers.

This seemingly works well, but I also need to enable CORS for this service. For that I need to allow for an unauthorized OPTIONS request ("CORS preflight" request) as browsers don't support sending any special header there. But then I can't seem to find a way for enforcing a quota and I'm back to square one: an uncontrolled number of those requests could cost an unforeseeable amount of money. Is there any way to exclude this possibility?

like image 874
Gunnar Avatar asked Jul 05 '20 19:07

Gunnar

2 Answers

To enforce a quota on OPTIONS requests, create a web ACL in AWS WAF & associate it to a stage of your API in API Gateway. Add a rate-based rule in the web ACL that blocks all OPTIONS requests beyond the rate limit you specify. Rules in web ACLs can be configured specifically for this, as shown below:

enter image description here enter image description here

For a screenshot-guided tutorial of this entire process, see my blog post.

like image 161
Harish KM Avatar answered Oct 01 '22 22:10

Harish KM

You are not paying for any unauthorized calls to API-Gateway. AWS is picking up this charge. You are paying after the request is authorized and only if it does not exceed your usage plan.

So if somebody is doing a DDOS on your API without authentication it is free of charge.

If somebody is doing a DDOS with a valid api key you will only pay until your usage plan is exceeded.

Find more information here.

  • Requests are not charged for authorization and authentication failures.

  • Calls to methods that require API keys are not charged when API keys are missing or invalid.

  • API Gateway-throttled requests are not charged when the request rate or burst rate exceeds the preconfigured limits.

  • Usage plan-throttled requests are not charged when rate limits or quota exceed the preconfigured limits.

So make sure to have authentication enabled on your API and a usage plan in place for all the authenticated requests.

like image 36
DominikHelps Avatar answered Oct 01 '22 22:10

DominikHelps
Sign in to Comment

Related questions

Running RabbitMQ+Celery in the same server as production environment
How to deploy to a specific object key inside an S3 Bucket with the Serverless framework?
boto EMR add step and auto terminate
Amazon aurora postgres serverless: Database returned more than the allowed response size limit
AWS S3 Glacier upload-archive taking a long time to finish execution - ways to check status or speed upload?
Can I test locally when developing for Amazon Elastic Beanstalk?
Amazon AWS S3 file naming strategy for performance
SSH Agent forward specific keys rather than all registered ssh keys
Download MySql Backup/Snapshot from Amazon RDS
AWS Elastic Beanstalk CLI does not prompt to create new keypair
How to make TensorFlow use more available CPU
AWS EC2 get system log [closed]
DynamoDB global tables using CloudFormation
Impersonate user in AWS Cognito
AWS Network load balancer - What is client reset count (and why is it high)
AWS ECS: Run Tasks Failed Reasons : ["ATTRIBUTE"]
How to store and use HTML templates in serverless application on AWS Lambda (using AWS SAM)?
aws sts get-session-token fails with profile
ioredis - ClusterAllFailedError: Failed to refresh slots cache
Deploy AWS UserPool via CloudFormation with attribute update

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!