This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Protecting API endpoints (BP4)
When you must expose an API to the public, there is a risk that the API frontend could
be targeted by a DDoS attack. To help reduce the risk, you can use Amazon API Gateway
When you use Amazon API Gateway, you can choose from two types of API endpoints. The first is the default option: edge-optimized API endpoints that are accessed through an Amazon CloudFront distribution. The distribution is created and managed by API Gateway, however, so you don’t have control over it. The second option is to use a regional API endpoint that is accessed from the same AWS Region in which your REST API is deployed. AWS recommends that you use the second type of endpoint and associate it with your own Amazon CloudFront distribution. This gives you control over the Amazon CloudFront distribution and the ability to use AWS WAF for application layer protection. This mode provides you with access to scaled DDoS mitigation capacity across the AWS global edge network.
When using Amazon CloudFront and AWS WAF with Amazon API Gateway, configure the following options:
-
Configure the cache behavior for your distributions to forward all headers to the API Gateway regional endpoint. By doing this, CloudFront will treat the content as dynamic and skip caching the content.
-
Protect your API Gateway against direct access by configuring the distribution to include the origin custom header x-api-key, by setting the API key value in API Gateway.
-
Protect the backend from excess traffic by configuring standard or burst rate limits for each method in your REST APIs.
For more information about creating APIs with Amazon API Gateway, refer to
Amazon API Gateway
