Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure Amazon Gateway API to only be accessable from content in S3 bucket

I have an API that's exposed to the public internet which I've created through Amazon's Gateway API service. API calls trigger a Lambda function that queries a backend database. The API that I've created is used by an S3 static webpage to fetch data.

I'd like to secure my API so that only the contents of my S3 bucket (index.html) has permission to access my API. I'd like to prevent people from being able to query my API directly and scrape the data using curl requests, etc. I've read a little bit about IAM roles, Cognito, and the Lambda permissions model, but I'm unsure how to secure my API with all these different tools.

What is the best way to secure my API so that only the content in my S3 bucket has permission to access my API?

like image 386
turtle Avatar asked Dec 05 '22 17:12

turtle


1 Answers

Depending on your setup, you can try using one or more of AWS's condition keys in your API Gateway's Resource Policy. For example, you could only allow requests for which the referer is your S3 static website:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
            ],
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "<bucket-name>.s3-website-<AWS-region>.amazonaws.com/*"
                    ]
                }
            }
        }
    ]
}
like image 148
Leila Hadj-Chikh Avatar answered Jan 20 '23 03:01

Leila Hadj-Chikh