Mitigate Distributed Denial of Service (DDoS) Attack Impacts - Security Overview of Amazon API Gateway

Mitigate Distributed Denial of Service (DDoS) Attack Impacts

Amazon API Gateway Rate Limiting

Rate limiting helps you prevent your API from being overwhelmed by too many requests. API Gateway throttles requests to your API using the token bucket algorithm, where a token counts for a request and the maximum bucket size is the burst. API Gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs.

There are a number of ways to implement rate limiting on your APIs. The various types of rate limits are processed in sequential order, as shown in Table 1. If any of the limits are exceeded for the rate limit, Amazon API Gateway blocks the request and returns a 429 Too Many Requests error response to the client. Client logic or SDKs should be configured to retry such errors, although with increasing back off intervals upon repeat failures of the same type.

Table 1 – Types of rate limits

Type of rate limit Applies to: Set via: Enforced by default?
Per-client, per method API stage and specific resource/method Usage plan with API key No
Per-client API stage Usage plan with API key No
Per-method overall API stage and specific resource/method API setting on the resource/method No
Account-level throttling All APIs in an account per AWS region AWS service quota Yes

Amazon CloudFront Integration

Amazon CloudFront distributes traffic across multiple edge locations, and filters requests to help ensure that only valid requests will be forwarded to your API Gateway deployments. There are two ways to use CloudFront with API Gateway:

  • With an edge-optimized endpoint API Gateway instance which delivers your API via an AWS-managed CloudFront distribution which is controlled by AWS

  • With a regional endpoint API Gateway instance that you can integrate with your own self-managed CloudFront distribution

When integrating CloudFront with regional API endpoints, CloudFront supports geo-blocking, which you can use to help prevent requests from particular geographic locations from being served.

API Gateway can be configured to accept requests only from CloudFront, using a few approaches. This can help prevent anyone from accessing your API Gateway deployment directly.

Methods include:

  • Requiring an API key to be validated for requests on API Gateway, which CloudFront can insert into the x-api-key header before forwarding the request to the origin, in this case API Gateway.

  • Requiring validation of a customized header (not x-api-key) with a known valid value for requests on API Gateway. CloudFront inserts the header and value on the request. A Lambda custom request authorizer can validate the presence of the expected header and return a “403 unauthorized” error if it is not present.

  • Authenticating the user with AWS Lambda@Edge, then signing all requests with AWS request signing before sending the request to API Gateway. API Gateway uses AWS IAM-based authorization to validate the signature.

AWS Shield and AWS Shield Advanced

AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. All customers benefit from AWS Shield Standard.

AWS Shield Advanced can be added to protect Amazon CloudFront distributions and Amazon Route 53 hosted zones, providing additional protections against DDoS attacks. During a DDoS attack, your instances can mitigate the attack up to the throughput of the instance. AWS Shield Advanced provides expanded DDoS attack protection for web applications running on the resources. AWS Shield Advanced manages mitigation of Layers 3, 4, and 7 attacks. Additionally, with the appropriate AWS support level, AWS Shield Advanced provides access for customers to the AWS DDoS Response Team.