avatarFeng Li

Summary

The provided content describes the process of securing a REST API in AWS API Gateway using an API key.

Abstract

The article is a continuation of a previous post discussing the integration of API Gateway with DynamoDB. It specifically addresses the security aspect by illustrating how to use an API key to protect REST APIs. The steps include enabling the API key requirement for the desired method, deploying the API, creating and saving the API key, and finally, creating a usage plan to manage throttling and quotas for the API key. The article emphasizes the importance of the API key in controlling access and the need to include it in the request header to avoid a 403 Forbidden error. It also highlights the flexibility of usage plans in AWS API Gateway to cater to different client needs, such as VIP customers.

Opinions

  • The author suggests that HTTP APIs lack the API key protection feature, implying it as a limitation compared to REST APIs.
  • The author expresses the necessity of deploying the API after modifying the API key requirement to enforce the changes.
  • The article implies that API keys are crucial for securing APIs and should be managed carefully, as evidenced by the detailed steps provided for their creation and usage.
  • The creation of a "Usage Plan" is presented as a beneficial feature for tailoring API access to different user groups, with the example of a "VIP Customer Plan" indicating the potential for customized service levels.
  • The article concludes with a call to action, inviting readers to join Medium using the author's referral link, suggesting that the author values community engagement and the sharing of knowledge.

Use API key to protect your REST API in AWS API Gateway

South Bay, Manitoulin Island, May 30, 2022

This post is a follow up of another post which talks about how to how to use API Gateway to connect to DynamoDB.

It seems HTTP API has no this option using API key while it can be protected by IAM role authentication and other approaches.

1 Choose the method to protect and click on “Method Request”.

2 Select “true” to “API Key Required”

Remember to click the “Check” mark to actually “Modify” it. Then “Deploy” the API after this change.

You receive forbidden message if calling this API now from Postman.

3 Create API keys

Choose “API Keys” from left side navigation, and use “Create API Key” from “Actions” to create API key called “customer_api_key”.

After clicking “Save” you can now view the generated API key. Take note of the key.

4 Create “Usage Plan” to combine resource and API key with different throttling and quota settings

For example we can create “VIP Customer Plan” for specific resource/APIs with higher throttling and quota settings and then authorize requests with API keys.

4.1 Create usage plan setting throttling and quota

Create usage plan setting throttling and quota

4.2 Specify resource/api for this usage plan

Specify resource/api for this usage plan

5 Test API Key protected endpoint

Specify “x-api-key” in request header so you can successfully add new customer to DynamoDB.

Request with x-api-key

Without API Key the request will be rejected with 403 Forbidden error.

Request without x-api-key

Happy Reading!

Api Key
Api Gateway
Recommended from ReadMedium