Amazon API Gateway
Developer Guide

Controlling Access to an API in API Gateway

API Gateway supports multiple mechanisms for controlling access to your API:

  • Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from specified source IP addresses or VPC endpoints.

  • Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods.

  • Cross-origin resource sharing (CORS) lets you control how your API responds to cross-domain resource requests.

  • Lambda authorizers are Lambda functions that control access to your API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters.

  • Amazon Cognito user pools let you create customizable authentication and authorization solutions.

  • Client-side SSL certificates can be used to verify that HTTP requests to your backend system are from API Gateway.

  • Usage plans let you provide API keys to your customers — and then track and limit usage of your API stages and methods for each API key.