Enhancing AWS API Gateway Security: Best Practices for API Management

Effectively managing and securing large volumes of APIs requires a multi-layered solution. For AWS users, Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. API Gateway supports a variety of backend integrations, enabling containerized, serverless, and traditional instance-based workloads.

However, security is a shared responsibility between AWS and its customers. While AWS is responsible for protecting infrastructure and services, customers must also secure their data and applications.

AWS recommends the following security design principles.³

• Mitigate distributed denial-of-service (DDoS) attack effects
• Implement inspection and protection using a web application firewall (WAF)
• Enable auditing and traceability with near real-time monitoring
• Automate security best practices
• Apply security at all layers for a defense-in-depth approach

As an AWS partner, F5 offers security that works with Amazon API Gateway to secure your apps and APIs. F5 BIG-IP Advanced WAF or F5 Distributed Cloud WAF can identify malicious traffic trying to reach the Amazon API Gateway or your API services. You can deploy the WAF in front of or behind Amazon API Gateway. However, deploying it in front of the gateway has the added benefit of preventing malicious API calls that will cost you money.

F5 WAF solutions use behavioral analytics to accurately identify threats and provide layer 7 DoS mitigation, application-layer encryption, and threat intelligence services. Deploying a WAF protects your applications and APIs against attacks, including those in the OWASP Top 10.

Another important requirement for API protection is discovery. Integrate F5 Distributed Cloud API Security with your CI/CD pipeline to capture API changes without disrupting the development process. Upload an existing API schema to enforce appropriate API behavior and automatically generate policies based on app-to-app and API-to-API patterns. F5 Distributed Cloud API Security also controls connections and monitors for anomalous behavior in API traffic, allowing it to block suspicious activity.

Bots pose another major threat to API security. Several of the OWASP API Security Top 10 threats are weaknesses that can be easily exploited by bots, such as unrestricted resource consumption or broken authentication. Adding F5 Distributed Cloud Bot Defense enables a combination of human experts and machine learning to detect malicious bot traffic while admitting legitimate users and helpful bots.