Kit Wai Chan - Fotolia

How does Amazon API Gateway secure API calls?

Our enterprise is concerned about our approach to APIs, including API throttling and DoS attacks. How does Amazon API Gateway mitigate API security risks?

An API offers a straightforward way to integrate different pieces of software. APIs have emerged as an important...

feature of public cloud providers, allowing third-party software developers to interact with or control the provider's services in a programmatic way, rather than through the manual Web-based interface.

Security is a crucial part of API use. Without a way to authenticate access, a provider like Amazon Web Services (AWS) cannot verify secure API calls or service access for billing purposes. Worse yet, unauthorized or counterfeit calls can consume the service provider's API compute power. Sometimes a denial-of-service (DoS) attack will flood the service and overwhelm its ability to handle legitimate calls, effectively shutting it down. Security vulnerabilities are an ever-present concern for public cloud providers, third-party services running in the public cloud and businesses using APIs to integrate software to services.

With very few exceptions, AWS requires that requests be signed, helping to secure API calls. Signing is a step that adds several access keys to each call, and the keys are coupled to a user or account. These details are checked to authenticate the user making the API calls. Amazon API Gateway also supports optional call signing using AWS Signature Version 4. While the use of API call signing is optional with Amazon API Gateway, it is strongly encouraged as a best-practice, and the API Gateway software development kit handles signing. However, the Amazon API Gateway also supports alternative authentication methods such as passing OAuth tokens directly to the running workloads for authentication.

Other key parts of security include monitoring, reporting and auditing. Monitoring services such as Amazon CloudWatch can log the calls an API key receives, allowing administrators to identify errant or abusive API use. At the same time, AWS CloudTrail provides a full history of API changes, so administrators can track all calls to create, edit, deploy or delete APIs in the user's AWS account.

As another layer of protection, Amazon API Gateway handles API throttling, allowing users that create new APIs to configure standard-rate and burst-rate limits on the number of calls handled per second. This can help mitigate the cost of API requests and -- since API creators pay per call -- help to ensure that back-end services running in the public cloud can maintain acceptable levels of performance for users as API call demand fluctuates.

Next Steps

Amazon API Gateway grants access to cloud resources

Avoid data breaches by sharing security responsibilities

Q&A: Learn how to use OAuth and API keys to reduce threats

Amazon API Gateway competes in the cloud market

Dig Deeper on AWS security