Secure AWS API Gateway with IAM

Adil Ansari - Sep 15 - - Dev Community

If you're using AWS API Gateway and want to secure it with IAM credentials from your AWS users, you're in the right place.
AWS offers several methods to secure REST APIs, including API keys, Lambda authorizers, and Amazon Cognito, but in this post, we'll focus on using IAM. I'll guide you step-by-step through the process of securing your API Gateway with IAM.

Let’s get started!

API Gateway

Amazon API Gateway is fully managed service by AWS that helps you create and manage APIs for your applications. It acts as a middleman, handling requests and sending them to the right backend services, like AWS Lambda or EC2.

Why IAM

By default, API Gateway APIs are available on a public URL, meaning anyone who has the link can use your API. To protect your data and services, you need to secure it. Using IAM Authorization ensures that only approved users can access your API, keeping your data safe by controlling who can send requests and use it.

Creating an API

For this article I'll be creating a sample REST API in API Gateway and will secure it using IAM.

To create an API, open API Gateway Service in AWS Console and create a new REST API and Deploy it.

Image description

Image description

In above screenshots, you can check that I have deployed a sample pet store API and invoked it using its invoke URL and its working fine.

Add IAM Authorization

Now let's add IAM authorization to our API method.

  • Click on the method under the path that you want to secure and then choose Method request and click on Edit button.

Image description

Image description

  • In Method request settings choose AWS IAM under Authorization dropdown and click on Save.

Image description

  • Redeploy API and test your API endpoint using invoke URL.

Image description

Image description

Now your API is secure, and it will return an HTTP 403 (Authentication Error) when accessed without IAM credentials.

  • Now test your API with IAM credentials using postman. In postman, Go to Authorization tab and choose AWS Signature under Auth Type dropdown and enter your access key, secret key, session token (if STS), and AWS Region. Now try to hit your API endpoint, it will give 200 response code.

Image description

Image description

Note

  1. Your IAM user should have execute-api:Invoke permission on the API that you want to execute.

  2. AWS Signature authentication method is a specific way to secure APIs provided by AWS. While many client-side libraries may not support it natively, you can use the AWS SDK to call the API Gateway or utilize third-party libraries such as requests-aws4auth in Python, along with similar libraries available for other programming languages.

Conclusion

In this article, We have seen how to secure our AWS API Gateway APIs using IAM credentials and learned how to call them using postman.

If you find this article helpful, do Like, and Follow @adilansari , Adil's Linkedin for more useful content related to AWS, Cloud, DevOps, Linux, and More.

References

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .