Learn how to use AWS Amplify to sign your API Gateway requests with Signature Version 4.
It is important to secure API Gateway endpoints. One way is to use AWS IAM roles (AWS_IAM). If the API Gateway endpoints are not authorized, the API endpoints can be easily abused through scripts.
Note that when you use AWS Amplify to sign a request, you don't need to provide your secret access key on the front-end, which is definitely more secure than using a library that requires it.
Without securing my terminals, these were the problems I ran into when I started building APIs.
- Sometimes the service would stop working because it was overloaded with spikes in bad requests.
- My costs have increased because my users or my competitors have abused my services that depend on other paid services.
- Email domain reputation has decreased. Sharing through the email service was abused and caused a high email bounce rate.
I've learned my lesson and I'd like to share it with you on how to sign your API Gateway requests with Signature Version 4.
Signing AWS requests with Signature Version 4 involves 4 steps. More information can be found hereAWS document🇧🇷 The following steps are cited and summarized from the linked AWS document.
Construct a string containing HTTP request information in a standardized (canonical) format.
- Canonical request pseudocode:
canonical request =
HTTPRequestMethod + '\n' +
Canonical URI + '\n' +
Canonical query string + '\n' +
Canonical headers + '\n' +
Signed headers '\n' +
HexEncode(Hash(RequestPayload))2. Example Get request for API Gateway endpoint:
OBTENGA https://f1pj1.execute-api.us-east-1.amazonaws.com/v0/posts?user=x HTTP/1.1 Host: f1pj1.execute-api.us-east-1.amazonaws.com Inhalt- Digite: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Dato: 20190321T123600ZThe X-Amz-Date timestamp header must be in UTC and ISO 8601 format:JJJJMMTT'T'HHMMSS'Z'🇧🇷 The timestamp is used to ensure that the scope of issued permits matches the date of the request.
3. Example canonical request string. This string can be encoded using the same algorithm that is used to encode the payload.
TO RECEIVE
/Prod/posts
benutzer=x
tipo de contenido:aplicativo/x-www-form-urlencoded; charset=utf-8 host:f1pj1.execute-api.us-east-1.amazonaws.com x-amz-date:20190321T123600ZInhalation type; Host; x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
4. Example of a hashed canonical request string:
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59The string to be signed contains meta information about your request and the canonical request created in step 1. In short, it contains the algorithm, timestamp, credential scope, and hashed canonical request.
- String structure to sign:
string to sign =
Algorithm + \n +
SolicitudFechaHora + \n +
Badge Scope + \n +
HashedCanonicalRequest2. Example string for the signature:
AWS4-HMAC-SHA256
20190321T123600Z
20190321/us-east-1/execute-api/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a591. Obtain a signing key of your AWS secret access key, date (yyyymmdd), region, service. Below is some pseudocode to derive a signing key.
HMAC stands for Hash-Based Message Authentication Code.
kSecret = Your secret access key
kFecha = HMAC("AWS4" + kSecret, Data)
kRegion = HMAC(kDatum, Region)
kService = HMAC(kRegion, Service)
kAssinatura = HMAC(kServicio, "aws4_request")2. Use the derived signing key and the string to sign to create the signature. Below is the pseudocode to calculate the signature.
Signature = HexEncode(HMAC(derived signing key, string to sign))3. For client requests, you may not want to use your secret access key to sign your requests because the key is available to anyone looking at the source code. Instead, you can use the AWS Security Token Service to use temporary security credentials to sign a request.
For example, if you use AWS Cognito, you can create two roles: unauthenticated for unsigned users, and authenticated roles for signed-in users. These functions have a default duration of 1 hour. For more information, seeDocument AWS with IAM roles.
The following information is extracted from itAWS V4 signature document.
You can use temporary security credentials provided by AWS Security Token Service (AWS STS) to sign a request. The process is the same as using long-term credentials.
You can see in the screenshot above that the signature is added to the authorization header of the HTTP request in the following format:
1. Authorization Pseudocode-Headers:
Authorization: Algorithm Credential = Access Key ID / Credential Scope,
SignedHeaders=Signed Headers, Signature=Signature2. Authorization header example:
Autorización: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20190321/us-east-1/execute-api/ aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c862c40902e4dab40902e4dab40902e4dab40902e4dab3. The request would look like this:
GET https://f1pj1.execute-api.us-east-1.amazonaws.com/Prod/posts?user=x HTTP/1.1
Autorización: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c4002ebda-typeb-type:appdabda-typeb-type:appdabda-type : www-formular-urlencodiert; charset=utf-8 Host: f1pj1.execute-api.us-east-1.amazonaws.com x-amz-date: 20190321T123600Zyou can read thisAWS documentabout the difference between Signature version 2 and version 4.
There are several ways to sign an API Gateway request. For example, you can use aws4, aws-signature-v4, AWS Amplify, etc. for the signing process. This article is mainly about using AWS Amplify to sign a request.
When you use AWS Amplify, you can use API classes to send requests, and all those requests are automatically signed with AWS Signature Version 4.
Amplify-Settings
You must configure Amplify before using the API class.
amplify.set({
// If you use Cognito
Authentication: {
IdentitätPoolId: '',
Region: '',
Usergroup ID: '',
usuarioPoolWebClientId: ''
},
API: {
End points: [
{
Name: 'Calculate',
final point: 'https://api.amazonaws.com/v0'
}
]
}
});Get sample query
calculation function (user){
const apiName = 'Calcular';
const path = '/computer-eins';
constant setting = {
Titles: {},
answer: wrong
query string parameter: {
'id': usuario.id,
}
}return API.get(apiName, route, config)
.then(res => {
console.log('calculation response: ', res);
if (res.rst === 'OK') {
return Promise.resolve(res['Response']);
} anders {
Devuelve Promise.reject();
}
}).catch(Error => {
console.error(Error);
Devuelve Promise.reject();
});
}
Post Request Example
calculation function (user){
const apiName = 'Calcular';
const path = '/computer-eins';
constant setting = {
Titles: {},
answer: wrong
query string parameter: {
'id': usuario.id,
},
Body: {
'data': data
}
}return API.post(apiName, route, config)
.then(res => {
console.log('calculation response: ', res);
if (res.rst === 'OK') {
return Promise.resolve(res['Response']);
} anders {
Devuelve Promise.reject();
}
}).catch(Error => {
console.error(Error);
Devuelve Promise.reject();
});
}
This is a screenshot of truncated request headers.
However, if you prefer to use Fetch or XHR, you can do that too.Import signers from @amplify/coreand use it to sign your application directly.
Below is the request signing function. Note that some of the code is taken from the AWS Amplify library.
importar auth de @aws-amplify/auth;
import {signer} from @aws-amplify/core;
import * as urlLib of 'url';url = 'seuApiGatewayEndpoint';
// sign a request with Amplify Auth and Signer
function signRequest(url, data) {
// The following code is taken from AWS Amplify Rest Client
const {suche, ...parsedUrl} = urlLib.parse(url, true, true);
let formattedUrl = urlLib.format({
...URL parsed,
Query: { ...parsedUrl.Query }
});
devolver Auth.currentCredentials()
.then(credentials => {
let cred = auth.essentialCredentials(credenciales);
Return Promise.resolve(cred);
})
.then(essential credentials => {
leave parameters = {
Titles: {},
Dados: JSON.stringify({
'd': data
}),
Method: 'POST',
URL: URL formateada
}
(Video) API Authentication via API Keys | AWS API Gateway// the keys of the cred object must remain the same in order for
// The Signer.sign function can access the keys
lowest credit = {
clave_secreta: EssentialCredentials.secretAccessKey,
access_key: essentialCredentials.accessKeyId,
session_token: essential credentials.sessionToken
}
// Set your region and service here
lassserviceInfo = {
Region: „us-east-1“, Dienst: „execute-api“
}
// Signer.sign takes care of all other Signature V4 steps
leave signedReq = Signer.sign(params, cred, serviceInfo);
Devolver Promise.resolve(signedReq);
});
}
Below is a function that uses the above signature function to sign a request and uses fetch to send the requests.
function compute = (input, data) => {
// Add query parameters and values here.
deixe url = `${this.url}?param1=${input}`;devuelve this.signRequest(url, data).
.then(signed request => {
return busca(signedParams.url, {
Method: 'POST',
Mode: 'cors',
hidden: 'sem hidden',
Header: Parameters signed.headers,
Referents: 'Customer',
Body: Signed parameters.data
})
})
.then(answer => {
if (response.ok) {
Regresar Promise.resolve(response.json());
} anders {
throw a new error('Request failed');
}
})
.catch(Error => {
Return Promise.reject(nuevo error());
});
}
This allows you to protect your AWS API Gateway endpoints with AWS_IAM and sign your AWS API Gateway requests with Signature Version 4. Note that this doesn't protect your APIs from all abuse, but it does make abuse more difficult.
You can also use Cognito or Lambda Authorizer (Custom Authorizer) to control access to API Gateway endpoints. Read how to do it in myArtikel API Gateway Access control.
Thank you for reading!buy me a coffee
Originally Posted byhttps://jun711.github.ioApril 6, 2019.
FAQs
How do I secure my AWS API gateway? ›
You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).
How do I enable SIGv4 in API gateway? ›To enable the SigV4 signing process, you need to make a small update to the ServiceA Python code that makes API calls to ServiceB. This change is to pass authentication information to AWS using the Authorization header when making API calls.
What is signature version 4? ›Signature Version 4 is the AWS signing protocol. AWS also supports an extension, Signature Version 4A, which supports signatures for multi-Region API requests. For more information, see the sigv4a-signing-examples project on GitHub. Contents.
How do I create an AWS signature Version 4? ›- Build a Canonical Request for Signature Version 4. To create a canonical request, concatenate the following components into a single string: ...
- Create a String to Sign for Signature Version 4. ...
- Calculate the Signature for AWS Signature Version 4. ...
- Add the Signing Information to the Request.
- Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
- Use encryption and signatures. ...
- Identify vulnerabilities. ...
- Use quotas and throttling. ...
- Use an API gateway.
- Policy enforcement. ...
- Traffic overload protection. ...
- Circuit breakers. ...
- Decoupling of the backend services from the front-end applications. ...
- HTTPS and encryption of requests. ...
- Implement API request validation. ...
- Set up logging. ...
- Implement rate-limiting.
Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key. These two keys are commonly referred to as your security credentials.
How do I enable authorization and authentication for my REST API? ›- When a user signs up for access to your API, generate an API key: var token = crypto. ...
- Store this in your database, associated with your user.
- Carefully share this with your user, making sure to keep it as hidden as possible. ...
- To authenticate a user's API request, look up their API key in the database.
To authenticate API requests, you can use basic authentication with your email address and password, your email address and an API token, or an OAuth access token. All methods of authentication set the authorization header differently. Credentials sent in the payload or URL are not processed.
What is SigV4 vs JWT? ›SigV4 is aimed at someone with access to an IAM user/role in your AWS account. Cognito/JWT is aimed at allowing you to create and manage a group of users separate from your AWS Account users (i.e. in Cognito), and a mechanism verify those identities.
How do I validate my AWS signature? ›
You can also verify the digital signature by using the public key of the KMS key outside of AWS KMS. Use the GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to verify the signature outside of AWS KMS.
What are the three types of signature? ›- Wet signature.
- Electronic signature (E-signature)
- Digital signature.
- Decide what you want your signature to convey. ...
- Analyze the letters in your name. ...
- Determine what parts of your name you want to include. ...
- Experiment with different styles. ...
- Think outside of the box. ...
- Choose your favorite signature.
Amazon SES customers who are currently using Signature Version 3 must migrate to Signature Version 4 by September 30, 2020. After that, Amazon SES will only accept requests that are signed using Signature Version 4.
How do I authenticate AWS API? ›- In the API Gateway console, choose the name of your API.
- In the Resources pane, choose a method (such as GET or POST) that you want to activate IAM authentication for.
- In the Method Execution pane, choose Method Request.
- Under Settings, for Authorization, choose the pencil icon (Edit).
- Authenticate and authorize. ...
- Implement access control. ...
- Encrypt requests and responses. ...
- Validate the data. ...
- Assess your API risks. ...
- Share only necessary information. ...
- Choose your web services API. ...
- Record APIs in an API registry.
- Safeguard your passwords and access keys.
- Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM)
- Limit AWS account root user access to your resources.
- Audit IAM users and their policies frequently.
Encryption — Having encryption enabled on the API and using https using TLS secures the channel as well as the information sent. Rate limiting and throttling — Limiting the number of requests coming into an API helps prevent abuse. Throttling enables the availability of the service for legitimate consumers.
What is the difference between AWS API gateway and amplify? ›AWS Amplify CLI is a unified toolchain to create, integrate, and manage the AWS cloud services for your app. Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure REST APIs at any scale.
What are the 3 ways security is provided? ›There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.
What is the security behind API gateway? ›
API Gateway Security – What is an API Gateway? The API Gateway is an important part of an API solution. API Gateways enforce policies which control security aspects such as the authentication, authorization or traffic management. The API Gateway is comparable to a gatekeeper guarding the underlying data.
What is canonical request? ›A canonical request is a string that represents a specific HTTP request to Cloud Storage. You use a canonical request along with a cryptographic key, such as an RSA key, to create a signature that is then included in the actual request as authentication.
How to create AWS signature in Java? ›- Step 1: Create a canonical request. ...
- Step 2: Create a hash of the canonical request. ...
- Step 3: Create a string to sign. ...
- Step 4: Calculate the signature. ...
- Step 5: Add the signature to the request. ...
- Temporary security credentials. ...
- Code examples in the AWS SDKs.
AWS Lambda natively supports Java, Go, PowerShell, Node.
What is the difference between API authentication and authorization? ›Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system.
Which is the best API authentication method? ›OAuth 2.0 is a widely used standard for API authentication, since it provides a secure and convenient way for users to grant third-party applications access to their resources without sharing their passwords.
What is the difference between API authorization and authentication? ›While we often use the terms interchangeably, authorization and authentication are two separate functions. Authentication is the process of verifying who a user is, and authorization is the process of verifying what they have access to.
How do I authorize an API request? ›With API key auth, you send a key-value pair to the API either in the request headers or query parameters. In the request Authorization tab, select API Key from the Type list. Enter your key name and value, and select either Header or Query Params from the Add to dropdown list.
How many types of authentication are there in API? ›We'll highlight three major methods of adding security to an API — HTTP Basic Auth, API Keys, and OAuth. We'll identify the pros and cons of each approach to authentication, and finally recommend the best way for most providers to leverage this power.
Which is more secure JWT or OAuth? ›JWT token vs oauth token: JWT defines a token format while OAuth deals in defining authorization protocols. JWT is simple and easy to learn from the initial stage while OAuth is complex. OAuth uses both client-side and server-side storage while JWT must use only client-side storage. JWT has limited scope and use cases.
Which is better JWT or Passport? ›
JSON Web Token has a broader approval, being mentioned in 29 company stacks & 15 developers stacks; compared to Passport, which is listed in 11 company stacks and 11 developer stacks.
What is difference between JWT and access token? ›The OAuth access token is different from the JWT in the sense that it's an opaque token. The access token's purpose is so that the client application can query Google to ask for more information about the signed in user. email: The end user's email ID. email_verified: Whether or not the user has verified their email.
What is the best way to verify that a digital signature is valid? ›When a digital signature is verified, the signature is decrypted using the public key to produce the original hash value. The data that was signed is hashed. If the two hash values match, then the signature has been verified.
How do I verify my signature verification? ›How can a digitally signed document be verified after the DSC associated with the Public Key has expired? The digital signature verification process for a document requires the signer's public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs.
How do I validate a signature file? ›Right-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
What are types of signatures? ›There are four main categories of signature used in the business world: wet signatures, e-signatures, digital signatures, and clickwrap signatures. Depending on the circumstances, you may need to use one or more of these methods when you agree to a contract or sign other important documents.
Which type of signature is best? ›Signatures that include just your initials (with or without the middle initial) are usually considered more formal and businesslike than full-name signatures. If you're worried about forgery, consider making your signature longer and more legible. Include your entire first and last name. Be sure to write clearly.
How many types of signatures are there? ›There are 4 different types of signatures the business world, and often the definitions can be mixed up or blurred.
What should a signature include? ›Your email signature should include your full name, contact information, job information, any important links, legal requirements, a call to action, and your pronouns. You want to write a detailed email signature, but don't go too crazy with it.
What is the best email signature? ›A personal email signature should include your full name, a photo of yourself, a direct phone number, a hyperlinked website address, and social media icons with links to your personal profiles. If you are currently employed, include your job title.
What is the best tool app for creating a digital signature? ›
DocuSign (Web, iOS, Android, Windows)
DocuSign is one of the most popular electronic signature apps available, and for good reason. It's great to use and hits all the features most people need in an eSignature app.
Request signature is the API request parameter api_sig which is added to every request to verify request user's authenticity on behalf of which the request is made.
Is Signature Version 2 deprecated for use with SES? ›Beginning March 27th 2021, support for Signature Version 2 will be turned off in Amazon SES, and only Signature Version 4 will be supported going forward. Amazon SES customers who are currently using Signature Version 2 must migrate to Signature Version 4 by March 26, 2021.
What is deprecated in AWS? ›Overview On May 30, 2022, the AWS SDK for Python (Boto3 and Botocore) and the AWS Command Line Interface (AWS CLI) v1 will no longer support Python 3.6. This will be the third in a recent series of runtime deprecations which started in 2021.
What is Signature version 4? ›Signature Version 4 is the AWS signing protocol. AWS also supports an extension, Signature Version 4A, which supports signatures for multi-Region API requests. For more information, see the sigv4a-signing-examples project on GitHub. Contents.
How do I enable SigV4 in API gateway? ›To enable the SigV4 signing process, you need to make a small update to the ServiceA Python code that makes API calls to ServiceB. This change is to pass authentication information to AWS using the Authorization header when making API calls.
How do I protect AWS API gateway from DDoS? ›The method to protect APIs from DDoS is known as Rate Limiting. Rate limiting can do the following: Prevent any particular client from exhausting application resources. Protect your application instances from erratic and unpredictable spikes in the rate of client requests.
How do I protect my gateway? ›- Implement only authenticated IoT gateways. ...
- Perform a security assessment before implementation. ...
- Update gateway software. ...
- Regularly review access to the gateway. ...
- Include gateways in security audits. ...
- Use a separate network for IoT gateways and devices.
Use HTTPS/TLS for REST APIs
As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.
- Implement Authentication. You should always be aware of who is calling your APIs. ...
- Use TLS (HTTPS) ...
- Validate API Parameters. ...
- Rate Limiting. ...
- Implement Content Types. ...
- Restrict Access to Resources. ...
- Use Pagination.
How do you handle security in API? ›
- Authenticate and authorize. ...
- Implement access control. ...
- Encrypt requests and responses. ...
- Validate the data. ...
- Assess your API risks. ...
- Share only necessary information. ...
- Choose your web services API. ...
- Record APIs in an API registry.
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS.
What is the most secure gateway? ›- Zscaler Web Security. ...
- Symantec Secure Gateway. ...
- Forcepoint Web Security. ...
- FortiProxy. ...
- Barracuda Web Security Gateway. ...
- Censornet Web Security. ...
- McAfee Web Gateway. ...
- Sophos Web Gateway.
A secure web gateway is an on-premise or cloud-delivered network security service. Sitting between users and the Internet, secure web gateways provide advanced network protection by inspecting web requests against company policy to ensure malicious applications and websites are blocked and inaccessible.
Can a gateway be hacked? ›Browser hijacking is a sure sign that you have a hacked router or wireless gateway. In this case, a hacker logged in to your router and changed its Domain Name System (DNS) settings—the system that matches numeric IP addresses with their web domains.
Which authentication method is best for REST API? ›- Always use TLS. ...
- Use OAuth2 for single sign on (SSO) with OpenID Connect. ...
- Use API keys to give existing users programmatic access. ...
- Encourage using good secrets management for API keys.
OAuth. OAuth is popular security mechanism that is widely used for user authentication. Similar to how a logged in session works on a website, OAuth requires the client user to “login” to the Web API before allowing access to the rest of the service. This is achieved by exposing a single endpoint for the login process.
How do I authenticate API requests? ›To authenticate API requests, you can use basic authentication with your email address and password, your email address and an API token, or an OAuth access token. All methods of authentication set the authorization header differently. Credentials sent in the payload or URL are not processed.