The new Amazon API Gateway tool for AWS was recently introduced. Are there security benefits to using these types...
of API gateway tools? Would certain enterprise cloud environments benefit more from their implementation?
Application program interfaces are standard features of distributed applications, but they present significant overhead from a security perspective. An API is like the front door of an application, and it is facing the Internet. An API gateway service is a good idea for anyone who would rather add product functionality than spend time locking down their API.
Although the Amazon API Gateway tool is new, developers have had options from Microsoft Azure and third parties, such as Apigee, CA API Management and Mashery. These services offer a range of capabilities not limited to security, such as the ability to set rate limits and quotas, throttle users that exceed quotas, consolidate multiple application services into a single management system, and provide analytics reporting. Authentication and authorization services are especially important selling points of API management systems, at least to the infosec team.
Amazon's API Gateway is new, and like many AWS services, should be considered a first version with additional features to come later. Even if the Amazon API Gateway never reaches feature parity with third-party API gateway providers, it offers a singular advantage: It integrates with the AWS ecosystem.
API Gateway integrates with AWS's Identity and Access Management (IAM) and Cognito to provide authentication and authorization services. Organizations that already use IAM can leverage their existing users, groups and privilege assignments. For applications that depend on OAuth or OpenID, the API Gateway can integrate with back-end services for authentication.
The gateway service integrates with CloudWatch, Amazon's performance management service that can also help identify potential security issues, such as excessive numbers of calls or other suspicious activity. Amazon also offers CloudTrail for logging API calls to the standard logging service in AWS. There is also a service for generating API keys. The API keys are included in logging information to enable tracking users of the API.
Find out how to assess cloud API security risks
Read more on criteria for choosing a public cloud platform
Take this quiz on API codes, RESTful APIs and more.
Dig Deeper on Cloud Computing Frameworks and Standards
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading