Certificates

A security section wouldn't be complete without mentioning certificates and domains. Specifically, what options do we have for bringing our own SSL/TLS certificates and creating custom domain names? 

When you create a new API, the endpoint starts with a domain provided by AWS:

https://api-id.execute-api.region.amazonaws.com

This endpoint is also protected by a certificate issued by Amazon. When we deploy our own APIs, we want the endpoints to match our own domains—at least in production, for example, https://api.mycompany.com.

Thankfully, AWS Certificate Manager (ACM, https://aws.amazon.com/certificate-manager/) is integrated into API Gateway, so we can use our own SSL/TLS certificate. To do so, we need to create or import a certificate (PEM-encoded) into ACM.

If you're planning to create an edge-optimized API, then the certificate needs to exist in the us-east-1 region.

Once you have a certificate registered and available, we can head over to the API Gateway console to create our own custom domain name. Creating a new custom domain name makes changes to CloudFront distributions, so make sure you have the appropriate permissions to do so.

The following screenshot shows where to add your custom domain name and where to select the certificate hosted in ACM:

The API Gateway console showing where to create a custom domain name

Here, you get to choose between a domain name for REST or WebSocket API.

Note that you can't associate a custom domain name with both API types or use custom domain names for private endpoint types.

The drop-down field for ACM Certificate will populate with the existing certificates available for you to choose from. A key thing to note that, after creating the domain name, you will need to update your DNS to point to the API's CloudFront distribution for edge-optimized APIs or the API endpoint for regional APIs. 

API Gateway also can generate and use client-side SSL certificates for mutual authentication. This is a more advanced topic that you can read about in the AWS documentation; see the link in the Further reading section.

That concludes our topic about securing APIs, where we went through the standard options supported by API Gateway. We should now better understand how easy it is to make an API more secure and get started building these into our solutions. Moving on to the next section, we will learn how to build and deploy APIs.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.151.26