Protecting API Endpoints (BP4) - AWS Best Practices for DDoS Resiliency

Protecting API Endpoints (BP4)

Typically, when you must expose an API to the public, there is a risk that the API frontend could be targeted by a DDoS attack. To help reduce the risk, you can use Amazon API Gateway as an entryway to applications running on Amazon EC2, AWS Lambda, or elsewhere. By using Amazon API Gateway, you don’t need your own servers for the API frontend and you can obfuscate other components of your application. By making it harder to detect your application’s components, you can help prevent those AWS resources from being targeted by a DDoS attack.

When you use Amazon API Gateway, you can choose from two types of API endpoints. The first is the default option: edge optimized API endpoints that are accessed through an Amazon CloudFront distribution. The distribution is created and managed by API Gateway, however, so you don’t have control over it. The second option is to use a regional API endpoint that is accessed from the same AWS region in which your REST API is deployed. We recommend that you use the second type of endpoint, and then associate it with your own Amazon CloudFront distribution. By doing this, you have control over the Amazon CloudFront distribution and the ability to use AWS WAF for application layer protection.

When you use Amazon CloudFront and AWS WAF with Amazon API Gateway, configure the following options:

  • Configure the cache behavior for your distributions to forward all headers to the API Gateway regional endpoint. By doing this, CloudFront will treat the content as dynamic and skip caching the content.

  • Protect your API Gateway against direct access by configuring the distribution to include the origin custom header x-api-key, by setting the API key value in API Gateway.

  • Protect your backend from excess traffic by configuring standard or burst rate limits for each method in your REST APIs.

To learn more about creating APIs with Amazon API Gateway, see Amazon API Gateway Getting Started.