IAM permissions and policies

The first option to cover is the IAM authentication method for securing APIs. To clarify, there are two main ways to use IAM:

  • The first is to provide administrative access to create, update, maintain, and delete APIs.
  • The second is to control which entities can invoke or execute an existing API—this is the component that this section is focused on.

The benefit of using IAM for access control is that it centralizes our authentication and authorization concerns to a single service. Those of us who have been using AWS for a while will also be very familiar with the IAM service as it is integrated with almost everything. Changes we make to roles or policies can also be made without redeploying any API code, and the changes are instant without causing outages. This also gives us the ability to quickly disable any roles or issued credentials during a security incident. The downside of using IAM is that each of your clients will need an IAM user or role. This isn't so bad for internal clients or services, but it isn't suitable for securing web-based APIs.

To enable a client to make a successful request to an API, there must be an IAM policy attached to an entity that permits such an action. The action to allow is called execute-api:Invoke. The API also needs to be created or deployed using the method property authorization type set to AWS_IAM.

The following JSON shows the format of a policy document with some allowed permissions included:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke" 
            ],
            "Resource": [
                "arn:aws:execute-api:${region}:${account-id}:${api-id}/${stage}/${METHOD_HTTP_VERB}/${pesource-path}"
            ]
        }
    ]
}

In the preceding policy document, you can clearly see we can be very specific about the API Gateway methods that the user is allowed to invoke, right down to path level. You can also specify the HTTP method, which gives you the flexibility to give access to the POST method and deny access to the DELETE method for a particular path, for example.

When an IAM user is created you can also generate security keys—namely, an access key, and a secret access key. Now, to invoke an API gateway method using your newly minted IAM credentials, you will need to sign the request using SigV. The process for signing the request is quite complex so I recommend that you use the AWS SDKs or another library in your chosen language to do the job for you instead of rolling your own.

We've just learned about the way we can secure an API using the IAM method. The implementation of authentication is made more simple with the help of Amazon Cognito, which we will cover next.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.142.166