You can use the following mechanisms for authentication and authorization:
-
Resource policy allows you to create resource-based policies to allow or deny access to your API and methods from the source IP address or VPC terminal node specified. For more information, see Use Amazon API Gateway resource policies to control access to the API .
-
Standard AWS IAM roles and policies to provide flexible, robust access control can be applied to the entire API or a single method. IAM roles and strategies can be used to control who can create and manage your API and who can call them. For more information, see Use IAM permission to control access to the API .
-
IAM label can control access in conjunction with IAM strategy. For more information, see Use labels to control access to the API Gateway resources .
-
Terminal node strategy interfaces VPC terminal node allows you to attach to the interface terminal node IAM VPC resources strategy for improving the private API security. For more information, please refer to the use VPC terminal node policy for private API in the API Gateway .
-
Lambda authorizer is Lambda functions that are used by the holder of the token and the authentication headers, paths, query string, or a variable phase context variables described parameter request information to control access to the REST API method. Lambda authorized parties to control who can call the REST API method. For more information, see use API Gateway Lambda authorized parties .
-
Amazon Cognito user pool allows you to create an authentication and authorization customizable solutions for the REST API. Amazon Cognito pool of users to control who can call the REST API method. For more information, see Use Amazon Cognito as an authorized user pool parties control access to the REST API .
The following mechanisms can be used to perform access control and other tasks related to:
-
Cross-Origin Resource Sharing (CORS) allows you to control your cross-domain resource REST API responds to requests. For more information, please refer to API Gateway REST API resources to enable CORS .
-
SSL client certificate HTTP authentication may be used to send to the backend system whether the request from the API Gateway. For more information, see generate and configure SSL certificates are used for back-end authentication .
-
AWS WAF can be used to protect your API Gateway API common Web vulnerabilities from attack. For more information, please refer to the use AWS WAF to protect the Amazon API Gateway API from common Web vulnerabilities to attack .
The following mechanisms can be used to track and limit your client has been authorized to grant access to:
-
Use plan allows you to provide customers with an API key - and then track and restrict the use of API stages and processes of each API key. For more information, see Creating and Using API usage plan with key .
The following mechanisms can be used for authentication and authorization:
-
Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from specified source IP addresses or VPC endpoints. For more information, see Control Access to an API with Amazon API Gateway Resource Policies.
-
Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage your APIs as well as who can invoke them. For more information, see Control Access to an API with IAM Permissions.
-
IAM tags can be used together with IAM policies to control access. For more information, see Using Tags to Control Access to API Gateway Resources.
-
Endpoint Policies for Interface VPC Endpoints allow you to attach IAM resource policies to interface VPC endpoints to improve the security of your private APIs. For more information, see Use VPC Endpoint Policies for Private APIs in API Gateway.
-
Lambda authorizers are Lambda functions that control access to REST API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. Lambda authorizers are used to control who can invoke REST API methods. For more information, see Use API Gateway Lambda Authorizers.
-
Amazon Cognito user pools let you create customizable authentication and authorization solutions for your REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods. For more information, see Control Access to a REST API Using Amazon Cognito User Pools as Authorizer.