Learning AWS Day by Day — Day 58 — Security in API Gateway

Exploring AWS !!

Day 58

Security in API Gateway

Security is one of the most important aspects. Security is the responsibility of both AWS and you, as being an AWS customer, AWS as well keeps your security as priority. The shared responsibility describes security in the cloud and of the cloud.
Security of the Cloud: AWS is responsible for the security of the cloud. It is responsible for all the infrastructure security that you are running on the cloud. Third party security validators often verify and test the security as part of the AWS Compliance Programs.
Security in the Cloud: You are responsible for the security inside the cloud of the infrastructures you provision, factors like strong password, sensitivity of data, laws and regulations of your company.

Data Protection
For your data protection , it is recommended to secure your sensitive information like password, protecting AWS account credentials, use IAM user policy, with least privilege given. You can secure your data in below ways:
Use MFA with each acoiunr, including IAM User account and root account.
Use SSL/TLS to communicate with resources.
Use CloudTrail for user activity logging and setting up API.
Use encryption solutions, and managed AWS advanced services like Macie which is used for securing data in S3.

Data Encryption in API Gateway
Data Encryption at Rest in API Gateway:
When enabling caching for REST API, you can enable cache encryption.
Data Encryption in Transit in API Gateway:
API gateway APIs expose only HTTPS endpoints only, doesn’t expose HTTP.
Manages certificate for default execute-api endpoints.
Can setup CloudFront distribution with custom SSL certificates and use it with regional APIs.

Internetwork Traffic Privacy
We can create private REST APIs, that can be accessed only from VPCs. You can allow or deny access to APIs from specific VPCs or VPC endpoints. Each endpoint can be used to access multiple APIs. We can also use Direct Connect for establishing a network from on-prem to Amazon VPC and then access your private API over that network. In all of these scenarios, the traffic to your private API uses secure connection, and stay within Amazon network, isolated from public.