0

I have a simple control panel hosted on AWS s3 as a static website. It simply has buttons that make AJAX POST requests to an API Gateway / Lambda endpoint and then displays the response. This Lambda function has authorization to launch new EC2 instances, terminate some instances, and run scripts on existing instances through SSM, so it's important that this control panel is password protected in some way.

Note that no sensitive data is actually transmitted so I don't think that using TLS is strictly required (and I'm not even sure how you'd do that on s3?). But the API requests made need to have some sort of authorization token.

I'm not really sure what to do here -- solutions like JWT seem quite overkill. I just want a single, static password that I can give to my friends so they can access this control panel and make valid requests. No users / registration required.

I think simply protecting the site itself isn't a solution because the API Gateway endpoint is still public (although maybe not -- can I set the API to only accept requests from the s3 site?). There needs to be some token sent with the POST requests that authorizes each individual request and the token needs to change to prevent replay attacks.

Thanks,

Thor Correia
  • 1,159
  • 1
  • 12
  • 20
  • since you just need 1 user, you can simply add [api key](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-console.html) to secure apis and have your friends enter that key as input to login and pass it along as header to api gateway calls. – Balu Vyamajala Mar 24 '21 at 02:38
  • This may be a good option... Put CloudFront in front of your S3 bucket, and use basic auth: https://stackoverflow.com/questions/55874983/basic-user-authentication-for-static-site-using-aws-s3-bucket/55876662#55876662 – hephalump Mar 24 '21 at 02:39
  • @BaluVyamajala i mean is that secure though? The connection is just http – Thor Correia Mar 24 '21 at 05:58

1 Answers1

1

Two options to easily secure Api Gateway:

  • Simple Api Key: We can setup an Api Key and secure api with this. We just need to pass this key as X-API-Key to all the api calls. We can have users enter this.
  • Custom Authorizer with Basic Auth to secure Api Gateway. Users will then need to enter user id and password , which will be passed as Authorization header and will be validated by this custom authorizer.

We could do both these two, or either one of the two.

Balu Vyamajala
  • 9,287
  • 1
  • 20
  • 42
  • Thanks! I'm worried that the api key method wouldn't be secure though, would it? The s3 static site is just http, so wouldnt the API key just be sent in plain text? – Thor Correia Mar 24 '21 at 05:59
  • communication between browser and api gateway is https. its only the static file download from s3 is http. So, API Key or any other mechanism we use to secure for APIs will always be secure. – Balu Vyamajala Mar 24 '21 at 11:45
  • #1 is not correct and should not be marked as the correct answer. While it would be true if sending from a server, any user of the static site could simply look for the x-api-key header in the network tab of their developer tools, and from then on make calls using the same API key. – TonyTheJet Apr 29 '22 at 14:03
  • @TonyTheJet , API key is not hard coded in static code, there will be an input box that user needs to key in and get stored in local storage – Balu Vyamajala Apr 29 '22 at 14:21