如何通过身份验证保护AWS-API网关

时间:2018-04-18 10:41:20

标签: amazon-web-services amazon-s3 aws-lambda amazon-cloudfront aws-api-gateway

大家好我已经编写了一个AWS lambda函数,应该对所有人开放。我也配置了我的云前端,用户可以访问。如何使API网关仅从云前端接收请求或将云前端域列入白名单。类似于Allowed_hosts。

我不应该回复邮递员或任何此类工具的任何电话。 API网关应该只响应来自cloudfront的调用。

我该怎么做?我不希望像Congnito或IAM那样设置身份验证系统。

有没有更好的方法来做到这一点?

我查看了CORS和访问控制允许来源。但这些都是基于浏览器的。

我需要一种只接受来自云端或我的s3存储桶的呼叫的方法。不是来自localhost或postman等。

提前致谢。

2 个答案:

答案 0 :(得分:2)

Step 1:

Setup API Keys with API Gateway.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-restapi.html

Step 2:

Add API Keys to CloudFront Origin with a custom header.

If anyone calls the API Gateway without a valid key, it will get refused.

To setup authentication on CloudFront you can sign the urls.

Hope it helps.

答案 1 :(得分:1)

I do not think that there is a way to restrict calls to your API GW endpoints... However, you can use the so-called API Keys. When you make a request to the specific API GW endpoint, you need to provide a header x-api-key and the corresponding API Key as a value. As long as you provide the header with correct value, you will be able to access the functionality behind your endpoint. If you do not provide a correct API Key, you will simply get 403 Forbidden.

Please take a look here and if you have any questions, read through the documentation. It's quite clear.

If there is anything unclear in my answer, I am open to help!

Cheers.