A security section wouldn't be complete without mentioning certificates and domains. Specifically, what options do we have for bringing our own SSL/TLS certificates and creating custom domain names?
When you create a new API, the endpoint starts with a domain provided by AWS:
https://api-id.execute-api.region.amazonaws.com
This endpoint is also protected by a certificate issued by Amazon. When we deploy our own APIs, we want the endpoints to match our own domains—at least in production, for example, https://api.mycompany.com.
Thankfully, AWS Certificate Manager (ACM, https://aws.amazon.com/certificate-manager/) is integrated into API Gateway, so we can use our own SSL/TLS certificate. To do so, we need to create or import a certificate (PEM-encoded) into ACM.
Once you have a certificate registered and available, we can head over to the API Gateway console to create our own custom domain name. Creating a new custom domain name makes changes to CloudFront distributions, so make sure you have the appropriate permissions to do so.
The following screenshot shows where to add your custom domain name and where to select the certificate hosted in ACM:
Here, you get to choose between a domain name for REST or WebSocket API.
The drop-down field for ACM Certificate will populate with the existing certificates available for you to choose from. A key thing to note that, after creating the domain name, you will need to update your DNS to point to the API's CloudFront distribution for edge-optimized APIs or the API endpoint for regional APIs.
API Gateway also can generate and use client-side SSL certificates for mutual authentication. This is a more advanced topic that you can read about in the AWS documentation; see the link in the Further reading section.
That concludes our topic about securing APIs, where we went through the standard options supported by API Gateway. We should now better understand how easy it is to make an API more secure and get started building these into our solutions. Moving on to the next section, we will learn how to build and deploy APIs.