8

I am creating a publicly available API using API Gateway which is backed with lambda functions to do some processing. I have secured it with a custom security header that implements hmac authentication with timestamp to protect against replay attacks. I understand that API Gateway protects against DDOS attacks through its high availability, but any invalid requests will still be passed to the lambda authentication function. So, I guess an attacker can submit invalid unauthenticated requests resulting in high costs. It will take a considerable number of requests to cause damage but it is still very doable. What is the best way to protect against that ? Thank you

user7400346
  • 799
  • 1
  • 8
  • 15
  • just saw this http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-pricing.html does this mean that non authorized requests triggered by lambda authorizer are not charged? – user7400346 Jun 21 '17 at 23:34

2 Answers2

5

To prevent DDoS and higher rate of access, you can setup WAF. Have a look at this link, to get a deeper understanding how to setup WAF with API Gateway.

Ashan
  • 18,898
  • 4
  • 47
  • 67
3

API Gateway will not charge you for unauthenticated requests, however you would be charged by Lambda for the invocation on the authorizer.

API Gateway offers a semi-useful mitigation to this problem in the form of the 'identity validation expression' on the Authorizer, which is just a regex that is matched against the incoming identity source header.

Besides that, you might want to just implement some kind of negative cache or validation yourself in the Authorizer function to minimize the billed milliseconds.

jackko
  • 6,998
  • 26
  • 38
  • 1
    Thank you Jack, I will try those options but please correct me if i am wrong since i feel like this only partially solves the problem. Is there any way to completely protect against an automated attack that generates random (and invalid) auth tokens and floods the API gateway with them resulting in high charge cost to the organization? Do you think a script that randomize the token can defeat those solutions? – user7400346 Jun 28 '17 at 00:18
  • my challenge is that customer enroll through a portal where security creds are assigned dynamically. Maybe create API keys on the fly as a first line of defense using amazon sdk? Does amazon charge for failed API keys? – user7400346 Jun 28 '17 at 00:31
  • No charge for failed API Keys – jackko Jun 29 '17 at 00:19