API Authentication and Authorization

Security in AWS

Security is the primary requirement for any meaningful application, especially for applications deployed in the cloud. Amazon’s API Gateway provides a range of features to help secure the APIs hosted in the AWS cloud.

Security consists of two components, namely authentication and authorization.

Authentication involves ensuring that the API client is indeed what it claims to be. Once we ascertain this, authorization ensures that the client should be allowed to do what they’re trying to do. Both are equally important when we work with API gateway. First, we must ensure that the client is genuine. The task doesn’t end there. We should also ensure that the client is authorized to do what they’re trying to do.

Consider an airport as an example. When someone wants to use the airport, security checks for the person's identity based on a national identity card and the tickets. The identity card only proves that they are who they claim to be. That alone doesn’t give the person the right to travel. For that, they need a booking on the flight and proof of that booking. This is the authentication/authorization process. Even after they enter the airport, they have restricted rights to board the flight they booked. Similarly, even after successful authentication, an API request has restricted access to AWS, depending on the IAM role that the request carries.

Authentication is implemented using login credentials, JWT tokens, or keys that define an understanding between the client and server. On the other hand, authorization is implemented within AWS based on the IAM role assigned to the request.

Shared responsibility model

When we talk about security in AWS, we must remind ourselves about the shared responsibility model of security in the AWS cloud. The responsibility for securing applications in AWS is shared between AWS and the customer. AWS is responsible for the security of the cloud externally, we are responsible for security within the cloud.

In other words, AWS is responsible for ensuring that the cloud is secure and its services aren’t compromised. However, it’s our responsibility to ensure that we use the services correctly and follow the prescribed best practices to ensure that the application we develop isn’t compromised. To do this, we should understand the security-related services provided by AWS. This lesson focuses on the services for securing API Gateway.

Security in API Gateway

Method requests take care of the security aspects of the API Gateway. This step has features to validate the HTTP headers and the body. It can connect with services like AWS Cognito and AWS Lambda for elaborate validation.

Additionally, we can use the AWS Web Application Firewall (WAF) to filter out unwanted requests. A firewall is very useful for blocking unwanted requests. Typical legacy firewalls enable IP and port blocking. WAF is a smart firewall capable of handling a lot more than that. It can identify shady requests that can compromise security and can block them before they can damage our application.

Within the API Gateway, security is managed by the Lambda authorizers in the method request step. AWS Cognito can provide us with this functionality out of the box.

Let’s check out some code examples.

AWS Lambda authorizer

In a typical full-stack application, when a user signs in with a username and password, the server-side application returns a signed JSON web token (JWT). All subsequent requests from the client then carry this token in the header. Such JWTs hold tamper-proof information about the client that it can use for authentication and authorization. The server provides it after validating the username and password. It serves as proof of the client’s authenticity. Also, the role and limits of the client are encoded in the JWT, proving the client's authority.

We can configure the API Gateway such that a request has to pass through an authorizer Lambda function before the other integrations process it. This Lambda function gets the authorizer header from the incoming request, along with a few other parameters.

The `authorizer` Lambda function can validate this token to ensure that it’s good. That takes care of authentication. Beyond authentication, it can also check for the context of the request and the user permissions defined in the JWT. Based on this, the `authorizer` Lambda function can identify if the client is authorized to do what they’re trying to do.

Thus, the first Login request goes to the Lambda function that validates the credentials and returns a signed JWT.