AWS Cloudfront(带有WAF)+ API网关:如何强制通过Cloudfront进行访问? [英] AWS Cloudfront (with WAF) + API Gateway: how to force access through Cloudfront?
问题描述
我想将WAF放在API网关的前面,并使用(小)信息我发现只有通过在APIG前面手动添加一个启用WAF的额外Cloudfront发行版本,才有可能。有点可惜,尤其是因为APIG现在本地支持自定义域,但是它应该可以工作。
I want to put WAF in front of API Gateway, and with the (little) info I find that is only possible by manually putting an extra Cloudfront distribution with WAF enabled, in front of APIG. It's a bit of a shame, especially since APIG now supports custom domains natively, but it should work.
现在要确保解决方案的安全,而不仅仅是晦涩难懂,我想强制要求只能通过Cloudfront发行版访问API。
这样做的最佳选择是什么?
Now to make the solution secure rather than just obscure, I want to enforce that the APIs can only be accessed through the Cloudfront distro. What is the best option to do this?
- 我希望能够使用类似的原始访问身份至于S3,但看不到该怎么做。
- 如果我可以将IAM用户(或角色?)分配给Cloudfront发行版,则可以使用APIG IAM功能,但是我不知道如何实现。 >
- 我可能需要APIG中的API密钥,并将其作为Cloudfront的Origin Custom Header传递。只要我们不希望将API密钥用于其他目的,那就行得通,所以我对此并不完全满意。
- 虚拟(!)自定义授权者可以与令牌验证表达式一起使用时,实际上会检查作为从Cloudfront作为原始定制标头传递的机密。应该可以工作,它更灵活,但是有点脏……还是没有?
- I was hoping to be able to use the 'Origin Access Identities' similar as for S3, but don't see how to do that.
- If I could assign an IAM User (or role?) to the Cloudfront distro, I could use APIG IAM feature, but I don't see how this can be done.
- I could require an API key in APIG, and pass it as a Origin Custom Header from Cloudfront. That could work, as long as we don't want to use API keys for some other purpose, so I'm not entirely happy about that.
- A dummy (!) custom authorizer could be used, with the Token validation expression actually checking a secret that is passed as an Origin Custom Header from Cloudfront. Should work, it's more flexible, but a bit dirty... or not?
还有更好的主意吗?还是存在实现它的正确方法,但我却忽略了它?
Any better ideas? Or perhaps "the right way" to do it exists but I overlooked it?
推荐答案
我来自API Gateway。
I am from API Gateway.
不幸的是,到目前为止,我们拥有的最佳解决方案是在CloudFront中注入原始自定义标头,并在自定义授权方中对其进行验证(问题中的选项4)。
Unfortunately, the best solution we have as of now is, to inject an origin custom header in CloudFront and validate that in a custom authorizer (option 4 in your question).
我们已经意识到了这一局限性,但解决方法还不是那么好。我们希望将来提供更好的WAF集成,但是我们没有ETA。
We are already aware of this limitation and not-so-great workaround. We are looking to provide better WAF integration in future, but we do not have an ETA.
这篇关于AWS Cloudfront(带有WAF)+ API网关:如何强制通过Cloudfront进行访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!