29

Recently I have been working with AWS API gateway where I created an API and protected it with API key and Cognito (OAuth).

One day I found that my API has been accessed 10K times which failed because of attacker didn't had the access to it.

My question is : Does Amazon charge for such api calls which are unauthorized? If they charge then how to protect it. As I understand even if I put WAF in front it my API url will still be exposed ....

Any help is appreciated...

Asdfg
  • 11,362
  • 24
  • 98
  • 175
Lalit Kumar
  • 423
  • 1
  • 4
  • 12

2 Answers2

13

If you protect your endpoint with the following authorization types: AWS_IAM, CUSTOM, and COGNITO_USER_POOLS, API Gateway will not be charged for failed requests. Please reference the Pricing Documentation. Also reference Secure AWS API Gateway with Lambda Integration

KiteCoder
  • 2,364
  • 1
  • 13
  • 29
10

What you are describing is a type of DDoS attack.

This is what you need to do to protect your API Gateway Endpoint from DDoS attack.

1) Create your API
2) Setup CloudFront distribution to your API
3) Front your CloudFront distribution with AWS WAF.
4) Create ACL rule and set requester limit to what you deem appropriate.
5) Test.

You still need to use AWS_IAM or Cognito to do the authorization part.

Here is the document that details the steps:

https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/

Asdfg
  • 11,362
  • 24
  • 98
  • 175
  • Thanks a lot, but after doing the step you mentioned will my api endpoint will not be accessible? If it is still accessible then someone can still attack right? Regards, – Lalit Kumar Jul 23 '18 at 03:26
  • It will be but instead of someone hitting it 10k times, you can set the rate limit to 1k and WAF will block it once that limit is reached. – Asdfg Jul 23 '18 at 15:01
  • 12
    How does rate limit help if 1000 ips are hitting it with a rate of only 100? That's what a DDOS looks like, right? – TheClassic Jun 14 '19 at 19:06