0

Hello guys I have written an AWS lambda function which should be open to all. I have configured my cloud front also which will be accessible to users. How can I make the API gateway to take requests only from the Cloud front or whitelist the cloud front domain. Something like Allowed_hosts.

I should not be able to respond to any calls from the postman or any such tools. API gateway should only respond to calls from cloudfront.

How can I do this ?? I dont want to have the authentication system setup like Congnito or IAM.

Is there any better method to do this ??

I have looked at CORS and Access Control Allow Origin. But these are browser based.

I need a method which will accept calls only from cloud front or my s3 bucket. Not from localhost or postman etc.

Thanks In advance.

asked Apr 18, 2018 at 10:41
3
  • Just to be clear: Do you mean you're hosting a static web app on S3/CloudFront that calls your API methods using JavaScript? Commented Apr 18, 2018 at 10:49
  • Yes its a static site Im making calls to my API methods using JS Commented Apr 18, 2018 at 10:50
  • 1
    In that case requests will be coming from the client (browser), not CloudFront since JavaScript gets executed on the client side. Hence, CORS won't work out for you and you'd probably need some sort of authentication to control access to your API Gateway. Commented Apr 18, 2018 at 11:02

2 Answers 2

2

Step 1:

Setup API Keys with API Gateway.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-restapi.html

Step 2:

Add API Keys to CloudFront Origin with a custom header.

If anyone calls the API Gateway without a valid key, it will get refused.

To setup authentication on CloudFront you can sign the urls.

Hope it helps.

answered Apr 18, 2018 at 18:06
Sign up to request clarification or add additional context in comments.

Comments

2

I do not think that there is a way to restrict calls to your API GW endpoints... However, you can use the so-called API Keys. When you make a request to the specific API GW endpoint, you need to provide a header x-api-key and the corresponding API Key as a value. As long as you provide the header with correct value, you will be able to access the functionality behind your endpoint. If you do not provide a correct API Key, you will simply get 403 Forbidden.

Please take a look here and if you have any questions, read through the documentation. It's quite clear.

If there is anything unclear in my answer, I am open to help!

Cheers.

answered Apr 20, 2018 at 21:25

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.