Q
Get started Bring yourself up to speed with our introductory content.

How does Amazon API Gateway secure API calls?

Our enterprise is concerned about our approach to APIs, including API throttling and DoS attacks. How does Amazon API Gateway mitigate API security risks?

An API offers a straightforward way to integrate different pieces of software. APIs have emerged as an important...

feature of public cloud providers, allowing third-party software developers to interact with or control the provider's services in a programmatic way, rather than through the manual Web-based interface.

Security is a crucial part of API use. Without a way to authenticate access, a provider like Amazon Web Services (AWS) cannot verify secure API calls or service access for billing purposes. Worse yet, unauthorized or counterfeit calls can consume the service provider's API compute power. Sometimes a denial-of-service (DoS) attack will flood the service and overwhelm its ability to handle legitimate calls, effectively shutting it down. Security vulnerabilities are an ever-present concern for public cloud providers, third-party services running in the public cloud and businesses using APIs to integrate software to services.

With very few exceptions, AWS requires that requests be signed, helping to secure API calls. Signing is a step that adds several access keys to each call, and the keys are coupled to a user or account. These details are checked to authenticate the user making the API calls. Amazon API Gateway also supports optional call signing using AWS Signature Version 4. While the use of API call signing is optional with Amazon API Gateway, it is strongly encouraged as a best-practice, and the API Gateway software development kit handles signing. However, the Amazon API Gateway also supports alternative authentication methods such as passing OAuth tokens directly to the running workloads for authentication.

Other key parts of security include monitoring, reporting and auditing. Monitoring services such as Amazon CloudWatch can log the calls an API key receives, allowing administrators to identify errant or abusive API use. At the same time, AWS CloudTrail provides a full history of API changes, so administrators can track all calls to create, edit, deploy or delete APIs in the user's AWS account.

As another layer of protection, Amazon API Gateway handles API throttling, allowing users that create new APIs to configure standard-rate and burst-rate limits on the number of calls handled per second. This can help mitigate the cost of API requests and -- since API creators pay per call -- help to ensure that back-end services running in the public cloud can maintain acceptable levels of performance for users as API call demand fluctuates.

Next Steps

Amazon API Gateway grants access to cloud resources

Avoid data breaches by sharing security responsibilities

Q&A: Learn how to use OAuth and API keys to reduce threats

Amazon API Gateway competes in the cloud market

This was last published in September 2015

Dig Deeper on AWS security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What API security issues has your enterprise encountered?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide.com

SearchSoftwareQuality

SearchCloudComputing

Close