保护AWS API Gateway [英] Securing AWS API Gateway

问题描述

我们有一个现有应用程序，并且正在开发AWS中应用程序所需的新API.

We have have an existing application and we are developing the new APIs required for our application in AWS.

我们希望对AWS API启用基于角色的访问控制，而无需将用户迁移到AWS Cognito.我们认为我们可能需要使用开发者身份提供者和IAM角色，但不确定如何将应用程序中的用户附加到IAM角色.在这个方向上的任何帮助将是可观的.

We want to enable role based access control to our AWS API without migrating our users to AWS Cognito. We think we might need to use Developer Identity Provider and IAM Roles, but not sure how the users from our application will be attached to IAM Roles. Any help in this direction will be appreciable.

谢谢.

注意:我是AWS的新手.

Note: I am new to AWS.

推荐答案

我认为您应该看看通过这种方式，您可以将现有的授权系统插入API网关.只要您不直接与用户共享AWS资源，我就不会使用IAM角色.

This way you can plug your already existing authorization system into the API gateway. I wouldn't use IAM roles as long as you are not sharing AWS resources directly with your users.

如果仅对应用程序使用基于角色的访问控制，那么使用现有应用程序角色绝对可以.您只需要使它们可访问即可，以便自定义授权者lambda可以针对它验证授权.

If you are only using role based access controls for your application, using existing application roles is absolutely fine. You just need to make them accessible, so the custom authorizer lambda can validate the authorization against it.

这篇关于保护AWS API Gateway的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！