Protect AWS API Gateway Endpoints using API Keys

Zeeshan Baig
Sep 2, 2018 · 4 min read
Image for post
Image for post

AWS API Gateway offers various ways to protect API endpoints, most recently AWS announced Private Endpoints which are only accessible from VPC. In addition to that, you can protect APIs using the following methods

  1. Custom Authorizers
  2. API Keys
  3. Client Certificates
  4. Or a combination of these
Image for post
Image for post

In this post, we will cover the API keys method only. Using API keys you can also create Usage Plans which allows you to enable Throttling and Quota on the APIs.

Example

Image for post
Image for post

Before API key protection you can call the API using the browser or Postman

Image for post
Image for post

Create API Keys

  1. Log in to AWS Console and AWS API Gateway
  2. Click on API Keys then from the Actions drop-down list select Create API key
  3. Enter required API key name and description
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Enable API Key on Method

Click on the API then Resources and click on the method you want to enable API keys, in our case it is hello/Get method

Image for post
Image for post

Click Method Request and select true from the API Key Required drop-down list

Image for post
Image for post

Create Usage Plan

Click on Usage Plan in AWS API Gateway Console then click Create

Enter Name of the plan, Throttling, and Quota info as per your requirement.

Practical Tip: You can create multiple usage plans and assign to different APIs, the plan will be enforced based on the API key, for example, you can have different membership levels such as Free, Basic and Pro plans and limit the quote and throttling accordingly.

Image for post
Image for post

Associate API stages to the plan, select API and the Stage as per your need, in our case it is my-api with test stage

Image for post
Image for post

Next is to associate API Keys to the plan, enter your API key name in the list, in our case it is my-api-key then click Done

Image for post
Image for post

Deploy the API

Click on the API then Resource, select Deploy API from the Actions drop-down, then select the stage you want to deploy

Image for post
Image for post
Image for post
Image for post

Testing the API

Image for post
Image for post

We have to pass API Key in order this to work, copy the API key from API Keys in API Gateway Console

Image for post
Image for post

Pass the API key value in the Headers using x-api-key parameter

Image for post
Image for post

Hope you like this post, please leave a comment and let us know what topics you want us to cover.

Cheers,

Zeeshan Baig

@IamZeeshanBaig

About DataNext

Originally published at datanextsolutions.com on September 2, 2018.

DataNext Solutions

Cloud | Security | DevOps | Big Data

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Zeeshan Baig

Written by

Cloud Security Expert & CEO of DataNext Solutions, helping people every day with the latest tech. Connect @LinkedIn http://bit.ly/zb-linkedin

DataNext Solutions

DataNext Solutions is a US based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise any Cloud Migration, Cost optimization, Integration, Security and Managed Services.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store