如何保护AWS API网关端点免受DDos攻击?
[英]How to protect AWS API gateway endpoint from DDos attack?
问题描述
Recently I have been working with AWS API gateway where I created an API and protected it with API key and Cognito (OAuth). 
最近,我一直在使用AWS API网关创建API,并使用API密钥和Cognito(OAuth)保护它。
One day I found that my API has been accessed 10K times which failed because of attacker didn't had the access to it. 有一天,我发现我的API被访问了10K次失败,因为攻击者没有访问它。
My question is : Does Amazon charge for such api calls which are unauthorized? 我的问题是:亚马逊会对未经授权的api电话收费吗? If they charge then how to protect it. 如果他们收费然后如何保护它。 As I understand even if I put WAF in front it my API url will still be exposed .... 据我所知,即使我把WAF放在前面,我的API网址仍会暴露......
Any help is appreciated... 任何帮助表示赞赏......
2 个解决方案
解决方案1
4 2018-07-19 15:08:49
If you protect your endpoint with the following authorization types: AWS_IAM, CUSTOM, and COGNITO_USER_POOLS, API Gateway will not be charged for failed requests. 如果使用以下授权类型保护端点:AWS_IAM,CUSTOM和COGNITO_USER_POOLS,则不会为失败的请求向API网关收费。 Please reference the Pricing Documentation . 请参考定价文档 。 Also reference Secure AWS API Gateway with Lambda Integration 还可以使用Lambda Integration引用Secure AWS API Gateway
解决方案2
3 2018-07-19 15:30:35
What you are describing is a type of DDoS attack. 你所描述的是一种DDoS攻击。
This is what you need to do to protect your API Gateway Endpoint from DDoS attack. 这是保护API Gateway Endpoint免受DDoS攻击所需的操作。
1) Create your API
2) Setup CloudFront distribution to your API
3) Front your CloudFront distribution with AWS WAF.
4) Create ACL rule and set requester limit to what you deem appropriate.
5) Test.
You still need to use AWS_IAM or Cognito to do the authorization part. 您仍然需要使用AWS_IAM或Cognito来执行授权部分。
Here is the document that details the steps: 以下是详细说明步骤的文档:
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/ https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.