Secure Amazon Gateway API to only be accessable from content in S3 bucket

Question

I have an API that's exposed to the public internet which I've created through Amazon's Gateway API service. API calls trigger a Lambda function that queries a backend database. The API that I've created is used by an S3 static webpage to fetch data.

I'd like to secure my API so that only the contents of my S3 bucket (index.html) has permission to access my API. I'd like to prevent people from being able to query my API directly and scrape the data using curl requests, etc. I've read a little bit about IAM roles, Cognito, and the Lambda permissions model, but I'm unsure how to secure my API with all these different tools.

What is the best way to secure my API so that only the content in my S3 bucket has permission to access my API?

Answer 1

Depending on your setup, you can try using one or more of AWS's condition keys in your API Gateway's Resource Policy. For example, you could only allow requests for which the referer is your S3 static website:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/{{stageNameOrWildcard*}}/{{httpVerbOrWildcard*}}/{{resourcePathOrWildcard*}}"
            ],
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "<bucket-name>.s3-website-<AWS-region>.amazonaws.com/*"
                    ]
                }
            }
        }
    ]
}