Restrict direct API Gateway calls unless it's from CloudFront

Question

We created a CloudFront in front of our APIs. Is it possible to restrict API calls other than coming from CloudFront?

Current setup:

Caller --> API Gateway Endpoint --> Lambda

Caller --> CloudFront Endpoint --> API Gateway Endpoint --> Lambda

We expect to have it like this only:

Caller --> CloudFront Endpoint --> API Gateway Endpoint --> Lambda

James Dean · Accepted Answer · 2019-05-17T10:44:00.233

2

Yes, WAF available for API gateway. 1. In CloudFront add a custom origin header 2. use WAF on API gateway and allow if request (CloudFront IP addresses + if header+value present). CloudFront IP addresses. http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

edited May 17 '19 at 10:44

answered May 17 '19 at 10:17

James Dean

2,893
1
4
10

1

Is the custom origin header necessary? – Steven May 18 '19 at 10:24
1

It adds more security, someone else can have his cloudfront and they can define origin as your API gateway and can make requests as cloudfront shares same ip addresses. – James Dean May 18 '19 at 11:07

Restrict direct API Gateway calls unless it's from CloudFront

1 Answers1