This project is an extension of our previous AWS Serverless API application. It focuses on authorizing API requests, implementing rate limiting, and creating API keys to secure your database from unauthorized access and attacks.
In this project, we aim to enhance the security and performance of our serverless API application by adding an authorizer, implementing rate limiting, and creating API keys. These measures will help prevent attackers from deleting or updating the content of the database and ensure that the API is used efficiently and securely.
The architecture for this project includes the following components:
- AWS Lambda functions for authorizing API requests
- Amazon API Gateway for handling API requests and responses
- Amazon DynamoDB for storing API keys and rate limit data
- AWS CloudWatch for monitoring and logging
- AWS account
- Postman api testing tool
- Clone the repository:
git clone https://github.com/your-username/api-authorization-and-rate-limiting.git cd api-authorization-and-rate-limiting
- As we already setup API application as micro service. you can refer my last project:
- create lambda function using lambda aws service.
- click on create function.
- insert function name as "lambdaAuth"
- insert code inside lambda source code editor. code of lambda function is given in downloaded repo with name "lambda_authoriser.py" file.
- copy it, insert it and press deploy button.
- click on stage_tab > Get > Method_request, edit the method_request and give value to authorization:"lambdaAuth". Also right tick "API_key_required".
- provide value in token tab as "Authorization"
Now your lambda Authorizer is setup for Get request do this for all given requested methods in our api.
- click on usage plan that is in left down side. name the plan "api-usage-plan". provide rate and burst value as("per second") :
- rate:1 , burst:2
- provide number of request per day as "30" to restrict my api to not cross free tier limit. This is optional. I have setup because, this link will be publically available for demo purpose.
- create api key to restrict other user and only allow those who have api key.
- I have attached this api key to only delete method but you can do for post and put method. Because these methods are link with data adding and updating.
- open Postman tool add url and select get method and click on send.
- it show 403 forbidden.
- Now enter header :
- Authorization : "Value"
- "Value" is (password_value is provide in lambdaAuth Function.)
- 200 ok status, shown all data inside Dynamodb database.
- enter url {https://opxfw4472e.execute-api.ap-south-1.amazonaws.com/dev/books/6} and select delete method and click send.
- showing status 403 forbidden.
- Now provide header x-api-key : value
- value is api key that is available in your aws api key section.
- click send, showing 204 status.
- check, value is now deleted.
In this project, we successfully enhanced our serverless API application with secure authorization, rate limiting, and API keys. These improvements safeguard our database and ensure efficient API usage. This solution leverages AWS Lambda and API Gateway to maintain robust security and performance.