All Notes
AWS
AWS
  • AIM
  • General Stuff about AWS
  • AWS Global Infrastructure
  • Interacting with AWS
  • AWS Identity and Access Management
    • AWS Organizations
    • Users
    • Policies and Permissions
    • Groups and Roles
    • Federation
    • Access Control (via available tools)
    • AWS Cognito
    • AWS IAM Identity Center
  • Networking and Content Delivery in AWS
    • AWS VPC
    • AWS Route 53
    • Elastic Load Balancing
    • AWS CloudFront
    • Amazon API Gateway
  • AWS Storage Services
    • Amazon EBS
    • Amazon EFS
    • Amazon FSx
    • S3
    • AWS Databases Services
      • Amazon RDS
      • Amazon DymanoDB
      • Amazon Elasticache
      • Amazon RedShift
      • Amazon DocumentDB
  • AWS Compute Services
    • EC2
    • Elastic BeanStalk
    • AWS Lambda
    • Container Services
      • ECR and ECS
      • EKS
      • AppRunner
  • Other AWS Services
    • CloudFormation
    • AWS Key Management Services (KMS)
    • AWS Secrets Manager
    • AWS Certificate Manager (ACM)
    • AWS Messaging Services
      • AWS SNS (Simple Notification Service)
      • AWS Simple Queue Service (SQS)
    • AWS Systems Manager
      • Application Management
      • Node Management
    • Logging and Monitoring
      • AWS CloudTrail
      • AWS CloudWatch
    • AWS Macie
    • AWS Inspector
    • AWS GuardDuty
Powered by GitBook
On this page
  • Features
  • Authentication and Authorization
  • Lambda Authorizers
  • Steps to setup an API Gateway
  1. Networking and Content Delivery in AWS

Amazon API Gateway

PreviousAWS CloudFrontNextAWS Storage Services

Last updated 6 months ago

Features

API GW can be said to be a bridge between different AWS services or between Users of a Application and their corresponding backend. It can act as the "front door" for applications to access data, business logic, or functionality from the backend services.

Amazon API Gateway is a fully managed service to create, publish, maintain, monitor, and secure APIs at any scale with the help of API Keys and its tracking via usage plan. Note that usage plan can be used to put limitations/restrictions on a particular API with the help of Quotas or throttling etc.

API Gateway supports RESTful APIs, WebSocket APIs and even HTTP APIs

They support containerized and serverless workloads, as well as web applications. One such use case is its integration with Lambda:

API Gateway supports thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management.

The url is of the format: https://<random-api-key/id>.execute-api.<region>-amazonaws.com/<stage-such-as-dev>/<resource-name-such-as-default>

Note that Stage can also have stage variables, which can be used to store configuration without modifying the code (example, URI for uat stage and prod stage can be different and this is stored in stage variables, so dynamically the value can be taken at runtime and used further by the API)

An HTTP or REST API GW can have versions with each version having a method (GET/POST...), Authorization and API Key

API Gateway can also be private and can be only accessed via VPC endpoints.

Authentication and Authorization

  • API GW also supports Standard AWS IAM roles and policies, Endpoint policies for interface VPC endpoints

  • Just like S3, it can also have Resource Policy, which can be used to configure for IAM users, Source IP Address ranges or CIDR blocks and even specified VPCs or VPC endpoints (any AWS account).

Please note that it best practice to specify VPC ID for private API GW in condition.

// Generated by ChatGPT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd1234ef/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::098765432109:role/MyRole"
      },
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:us-east-1:123456789012:abcd1234ef/*"
    }
  ]
}

The authorization workflow with IAM and resource policy can be highlighted as shown below:

  • It also supports Amazon Cognito User Pools

  • One different authorization it supports is Lamda Authorizers

Lambda Authorizers

It is a lambda function to control the access to a APIs behind a API Gateway. It can be used to build custom authentication or authorization apart from the usual IAM based or API key based.

It uses custom authorization scheme:

  • Based on bearer token authentication strategy

  • Uses request parameters to determine the caller's identity

There are two types:

  • TOKEN authorizer (token-based)

  • REQUEST authorizer (request parameter based)

Based on authorizer values, access can be granted or denied as shown below:

Note that policy is usually cached for 30 seconds

Steps to setup an API Gateway

Head back to Lambda to complete setting up trigger and then use API Gateway URL

Source:
Source:
Source:
Source:
Source:
https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
https://dev.to/aws-builders/two-ways-to-directly-integrate-aws-lambda-function-with-amazon-api-gateway-3can
https://javapatel.wordpress.com/wp-content/uploads/2023/10/rest-private-api-coverimage.png?w=816
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-authorization-flow.html#apigateway-resource-policies-iam-policies-interaction
https://docs.aws.amazon.com/images/apigateway/latest/developerguide/images/custom-auth-workflow.png