1
00:00:00,000 --> 00:00:01,830
‫Now here is a pretty heavy lecture

2
00:00:01,830 --> 00:00:05,610
‫around API gateway security, but one you should master,

3
00:00:05,610 --> 00:00:08,650
‫so I've tried to include as many diagrams as possible.

4
00:00:08,650 --> 00:00:10,810
‫So the first one is to use IAM permissions

5
00:00:10,810 --> 00:00:12,750
‫to access your API gateway.

6
00:00:12,750 --> 00:00:14,890
‫That makes sense, this is what we've been doing so far,

7
00:00:14,890 --> 00:00:16,360
‫we use an IAM policy

8
00:00:16,360 --> 00:00:17,920
‫and we attach it to user enroll

9
00:00:17,920 --> 00:00:20,380
‫and we're able to invoke our API gateway.

10
00:00:20,380 --> 00:00:24,050
‫So in this case the authentication is done through IAM

11
00:00:24,050 --> 00:00:27,490
‫and the authorization is done through an IAM policy.

12
00:00:27,490 --> 00:00:31,170
‫So this is the optimal way to protect your API gateway

13
00:00:31,170 --> 00:00:33,700
‫if it's being accessed within your

14
00:00:33,700 --> 00:00:34,750
‫AWS accounts,

15
00:00:34,750 --> 00:00:37,440
‫so that includes if you're using EC2 instances,

16
00:00:37,440 --> 00:00:38,560
‫Lambda functions,

17
00:00:38,560 --> 00:00:40,880
‫or IAM users, et cetera et cetera.

18
00:00:40,880 --> 00:00:44,290
‫In order to pass your IAM credentials to the API gateway,

19
00:00:44,290 --> 00:00:48,030
‫there is a leverage of the signature before capability

20
00:00:48,030 --> 00:00:49,210
‫where the eight credentials

21
00:00:49,210 --> 00:00:52,320
‫are going to be signed and then placed into headers.

22
00:00:52,320 --> 00:00:53,680
‫So let's take an example,

23
00:00:53,680 --> 00:00:56,090
‫the API gateway is deployed into a stage

24
00:00:56,090 --> 00:00:58,400
‫and secured with IAM permissions,

25
00:00:58,400 --> 00:01:00,000
‫and there's a backend of Lambda functions.

26
00:01:00,000 --> 00:01:03,440
‫So first our clients is going to do a rest API call

27
00:01:03,440 --> 00:01:06,200
‫and we'll pass the Sig v4 headers,

28
00:01:06,200 --> 00:01:08,790
‫then API gateway knows how to decrypt those,

29
00:01:08,790 --> 00:01:12,710
‫so it will check with IAM if the user is authorized

30
00:01:12,710 --> 00:01:14,740
‫and so there will be an IAM policy check,

31
00:01:14,740 --> 00:01:16,440
‫and so as soon as this is done

32
00:01:16,440 --> 00:01:18,450
‫the API gateway will, if it's authorized,

33
00:01:18,450 --> 00:01:20,180
‫talk to the Lambda function in the backend

34
00:01:20,180 --> 00:01:22,890
‫and returned a result to the clients.

35
00:01:22,890 --> 00:01:27,050
‫So there's is a first permission mode and it is very simple.

36
00:01:27,050 --> 00:01:30,510
‫Now this can be combined with resource policies.

37
00:01:30,510 --> 00:01:31,343
‫So,

38
00:01:31,343 --> 00:01:34,510
‫resource policies sound a lot like Lambda resource policies

39
00:01:34,510 --> 00:01:37,170
‫because they are for the exact same purpose,

40
00:01:37,170 --> 00:01:41,430
‫they allow you to set adjacent policy on your API gateway

41
00:01:41,430 --> 00:01:44,850
‫to define who and what can access your API gateway.

42
00:01:44,850 --> 00:01:47,600
‫So the main use case of resource policies

43
00:01:47,600 --> 00:01:50,100
‫is to use cross account access,

44
00:01:50,100 --> 00:01:53,860
‫so we would define adjacent policy just like this

45
00:01:53,860 --> 00:01:56,500
‫and combined it with IAM security,

46
00:01:56,500 --> 00:01:58,900
‫we are able to give access

47
00:01:58,900 --> 00:01:59,870
‫of users

48
00:01:59,870 --> 00:02:02,000
‫or roles in other accounts

49
00:02:02,000 --> 00:02:03,830
‫directly into our API gateway.

50
00:02:03,830 --> 00:02:05,850
‫So this is for cross account access,

51
00:02:05,850 --> 00:02:07,030
‫but you could also

52
00:02:07,030 --> 00:02:10,410
‫use resource policy to filter for specific IP addresses,

53
00:02:10,410 --> 00:02:13,230
‫or to allow only for a VPC Endpoint.

54
00:02:13,230 --> 00:02:15,960
‫So there is the first category of security.

55
00:02:15,960 --> 00:02:18,560
‫The second category is around Cognito user pool,

56
00:02:18,560 --> 00:02:21,590
‫so we'll see Cognito in its own section,

57
00:02:21,590 --> 00:02:25,140
‫but Cognito at a high level It's a database of users.

58
00:02:25,140 --> 00:02:28,180
‫So Cognito will manage fully the user lifecycle

59
00:02:28,180 --> 00:02:29,366
‫and the token of

60
00:02:29,366 --> 00:02:31,850
‫connection to Cognito will expire automatically,

61
00:02:31,850 --> 00:02:35,270
‫and so the API Gateway will verify the identity

62
00:02:35,270 --> 00:02:38,860
‫of the people connecting to API with Cognito.

63
00:02:38,860 --> 00:02:41,020
‫There's no custom implementation required,

64
00:02:41,020 --> 00:02:44,010
‫so in this case the users have to authenticate

65
00:02:44,010 --> 00:02:45,930
‫with the Cognito User Pools,

66
00:02:45,930 --> 00:02:50,000
‫and then the authorization is set at the API gateway methods

67
00:02:50,000 --> 00:02:50,833
‫level.

68
00:02:50,833 --> 00:02:51,666
‫So,

69
00:02:51,666 --> 00:02:52,499
‫if we have a look

70
00:02:52,499 --> 00:02:54,170
‫here our API gateway

71
00:02:54,170 --> 00:02:58,120
‫is talking to Lambda function in our backend,

72
00:02:58,120 --> 00:02:59,090
‫and then,

73
00:02:59,090 --> 00:03:03,053
‫our client first authenticates with the Cognito User Pool

74
00:03:03,053 --> 00:03:04,020
‫to

75
00:03:04,020 --> 00:03:06,890
‫retrieve a connection token.

76
00:03:06,890 --> 00:03:09,940
‫So the users are already restarting user pool,

77
00:03:09,940 --> 00:03:12,290
‫then our client is authenticated they received a token

78
00:03:12,290 --> 00:03:15,740
‫and it will pass the token in the API call

79
00:03:15,740 --> 00:03:18,250
‫to our API gateway.

80
00:03:18,250 --> 00:03:20,550
‫Now what will happen is that the API gateway

81
00:03:20,550 --> 00:03:23,140
‫has a direct integration with Cognito User Pools,

82
00:03:23,140 --> 00:03:25,900
‫and it will evaluate the Cognito token

83
00:03:25,900 --> 00:03:27,790
‫with the Cognito User Pool

84
00:03:27,790 --> 00:03:29,830
‫and if the token is correct,

85
00:03:29,830 --> 00:03:32,730
‫it's going to allow access to your backend.

86
00:03:32,730 --> 00:03:35,300
‫So this is a very easy kind of security

87
00:03:35,300 --> 00:03:36,850
‫one will be exploring.

88
00:03:36,850 --> 00:03:40,060
‫And then the last one is Lambda Authorizer,

89
00:03:40,060 --> 00:03:42,610
‫formerly called Custom Authorizer,

90
00:03:42,610 --> 00:03:44,490
‫and this one is the most flexible

91
00:03:44,490 --> 00:03:47,350
‫but requires the most involvement on your end.

92
00:03:47,350 --> 00:03:49,910
‫So it is a Token-based authorizer

93
00:03:49,910 --> 00:03:51,240
‫with a bearer token,

94
00:03:51,240 --> 00:03:54,180
‫and this looks like a JWT so JSON Web token

95
00:03:54,180 --> 00:03:55,100
‫or Oauth.

96
00:03:55,100 --> 00:03:56,680
‫And so the idea is that,

97
00:03:56,680 --> 00:03:59,980
‫we can pass a request based parameters with headers

98
00:03:59,980 --> 00:04:03,500
‫or query strings into a Lambda authorizer,

99
00:04:03,500 --> 00:04:05,000
‫and the Lambda function

100
00:04:05,000 --> 00:04:07,810
‫will have to evaluate what we passed to it,

101
00:04:07,810 --> 00:04:09,200
‫and if it's happy,

102
00:04:09,200 --> 00:04:12,380
‫return an IAM policy for the clients that made the request

103
00:04:12,380 --> 00:04:13,610
‫and the policy will be cached.

104
00:04:13,610 --> 00:04:15,330
‫So I will be explaining this in diagram

105
00:04:15,330 --> 00:04:16,740
‫it will be much clearer.

106
00:04:16,740 --> 00:04:19,440
‫So the authentication in this time is external

107
00:04:19,440 --> 00:04:23,370
‫so it's up to you to authenticate users any where you want,

108
00:04:23,370 --> 00:04:24,203
‫and

109
00:04:24,203 --> 00:04:27,130
‫the authorization has to be done in your Lambda function.

110
00:04:27,130 --> 00:04:29,560
‫So, here's a diagram it should make a lot more sense.

111
00:04:29,560 --> 00:04:32,540
‫So the API gateway has a backend to get on the function,

112
00:04:32,540 --> 00:04:34,680
‫and our clients first authenticates

113
00:04:34,680 --> 00:04:37,580
‫with a third party authentication system.

114
00:04:37,580 --> 00:04:39,990
‫For example, it could be off zero.

115
00:04:39,990 --> 00:04:41,610
‫So we retrieve a token

116
00:04:41,610 --> 00:04:44,090
‫from our third party authentication system,

117
00:04:44,090 --> 00:04:47,470
‫and then we pass this token to the API gateway,

118
00:04:47,470 --> 00:04:51,140
‫either through a header or through request biometrics.

119
00:04:51,140 --> 00:04:52,300
‫Then the API gateway

120
00:04:52,300 --> 00:04:54,210
‫is integrated with the Lambda Authorizer,

121
00:04:54,210 --> 00:04:55,800
‫so this is a Lambda function

122
00:04:55,800 --> 00:04:57,620
‫they will retrieve some information

123
00:04:57,620 --> 00:05:00,569
‫around the context as well as this token

124
00:05:00,569 --> 00:05:03,270
‫that we authenticated from.

125
00:05:03,270 --> 00:05:05,600
‫Then the Lambda function is something we have to program

126
00:05:05,600 --> 00:05:07,860
‫so it's up to us to verify that token,

127
00:05:07,860 --> 00:05:09,970
‫maybe talk to the third party authentication system

128
00:05:09,970 --> 00:05:13,060
‫to verify the validity of the token,

129
00:05:13,060 --> 00:05:14,440
‫and if it is valid,

130
00:05:14,440 --> 00:05:16,620
‫then the Lambda function will return

131
00:05:16,620 --> 00:05:20,500
‫and have to create an IAM principal and IAM policy,

132
00:05:20,500 --> 00:05:22,730
‫and this is done once then it will get cached

133
00:05:22,730 --> 00:05:24,000
‫into a Policy Cache

134
00:05:24,000 --> 00:05:27,900
‫and then the API gateway will talk to our Lambda backend.

135
00:05:27,900 --> 00:05:28,733
‫So,

136
00:05:28,733 --> 00:05:30,700
‫the Lambda Authorizer is lot more involved as you can see,

137
00:05:30,700 --> 00:05:31,950
‫and it is used the mainly

138
00:05:31,950 --> 00:05:35,240
‫when you're using a third party authentication system.

139
00:05:35,240 --> 00:05:36,073
‫So,

140
00:05:36,073 --> 00:05:38,020
‫what do we need to remember going into the examiner?

141
00:05:38,020 --> 00:05:39,860
‫Well, just a high level thankfully,

142
00:05:39,860 --> 00:05:42,670
‫So with IAM security this is great when you have users

143
00:05:42,670 --> 00:05:45,210
‫and roles already created in your accounts,

144
00:05:45,210 --> 00:05:47,720
‫and if you look at doing cross account access,

145
00:05:47,720 --> 00:05:51,000
‫then you need to use resource policy on top of things.

146
00:05:51,000 --> 00:05:53,900
‫It's great for handling authentication and authorization

147
00:05:53,900 --> 00:05:55,130
‫the way we already know,

148
00:05:55,130 --> 00:05:58,670
‫and this leverages Signature v4 as a technology.

149
00:05:58,670 --> 00:06:02,030
‫The Custom Authorizer is great when you're a third party

150
00:06:02,030 --> 00:06:03,510
‫databases of users

151
00:06:03,510 --> 00:06:04,680
‫and it's very flexible because,

152
00:06:04,680 --> 00:06:06,860
‫we choose what IAM policy will return

153
00:06:06,860 --> 00:06:09,650
‫and we need to enable and handle ourselves

154
00:06:09,650 --> 00:06:10,690
‫the authentication,

155
00:06:10,690 --> 00:06:13,520
‫and the authorization in the Lambda function.

156
00:06:13,520 --> 00:06:15,460
‫And even though the results are cached

157
00:06:15,460 --> 00:06:17,010
‫we still pay for the Lambda invocation

158
00:06:17,010 --> 00:06:18,210
‫and that can take awhile.

159
00:06:18,210 --> 00:06:19,510
‫And finally,

160
00:06:19,510 --> 00:06:22,380
‫the Cognito User Pool in which we manage our own user pool

161
00:06:22,380 --> 00:06:25,720
‫We'll see this how we can do it in the Cognito section.

162
00:06:25,720 --> 00:06:28,440
‫We don't need to write any custom code so this is preferred

163
00:06:28,440 --> 00:06:31,250
‫and we must implement authorization ourselves,

164
00:06:31,250 --> 00:06:33,330
‫in the backend Lambda function.

165
00:06:33,330 --> 00:06:35,640
‫So let's say for security now let's go into the console

166
00:06:35,640 --> 00:06:37,770
‫to see these options very quickly.

167
00:06:37,770 --> 00:06:39,570
‫So let's see the security options,

168
00:06:39,570 --> 00:06:41,970
‫so the first one is that if we click on any method

169
00:06:41,970 --> 00:06:43,220
‫in our resources

170
00:06:43,220 --> 00:06:44,650
‫and click on method request,

171
00:06:44,650 --> 00:06:47,520
‫here we can set the authorization

172
00:06:47,520 --> 00:06:49,430
‫and the only option we have accessible right now

173
00:06:49,430 --> 00:06:51,000
‫is either is IAM ,

174
00:06:51,000 --> 00:06:55,070
‫so this is check the IAM user policy and roles

175
00:06:55,070 --> 00:06:56,060
‫and this is helpful

176
00:06:56,060 --> 00:06:59,140
‫when we have everything within our accounts,

177
00:06:59,140 --> 00:07:00,860
‫and this is Sig v4.

178
00:07:00,860 --> 00:07:02,440
‫So this can be used in combination

179
00:07:02,440 --> 00:07:03,273
‫and I'm not going to do it,

180
00:07:03,273 --> 00:07:05,100
‫but this can be used in combination

181
00:07:05,100 --> 00:07:06,430
‫with the Resource Policy

182
00:07:06,430 --> 00:07:08,290
‫so they can be defined on the left hand side,

183
00:07:08,290 --> 00:07:09,150
‫and here we have

184
00:07:10,132 --> 00:07:11,140
‫free templates.

185
00:07:11,140 --> 00:07:13,990
‫The first one is the cross accounts resource policy,

186
00:07:13,990 --> 00:07:18,352
‫so here we can replace by the name of another account IG

187
00:07:18,352 --> 00:07:20,830
‫and we will have a resource policy that would allow

188
00:07:20,830 --> 00:07:22,610
‫cross account access,

189
00:07:22,610 --> 00:07:24,470
‫or we could have an IP range blacklists

190
00:07:24,470 --> 00:07:29,470
‫so to disable some IPs to access or not our API gateway.

191
00:07:29,530 --> 00:07:31,270
‫And finally Source VPC Whitelist

192
00:07:31,270 --> 00:07:33,110
‫if you want to authorize

193
00:07:33,110 --> 00:07:35,490
‫another VPC into our API gateway.

194
00:07:35,490 --> 00:07:37,380
‫So this resource policy for example,

195
00:07:37,380 --> 00:07:38,850
‫this cross account access

196
00:07:38,850 --> 00:07:42,900
‫plus the ERIS IAM type of security

197
00:07:42,900 --> 00:07:46,600
‫allows us to fully control who accesses our API gateway,

198
00:07:46,600 --> 00:07:47,900
‫with IAM.

199
00:07:47,900 --> 00:07:49,660
‫Now we can set up other authorizers,

200
00:07:49,660 --> 00:07:53,020
‫so on the left hand side we can create a new authorizer,

201
00:07:53,020 --> 00:07:54,490
‫and currently there are two new,

202
00:07:54,490 --> 00:07:56,250
‫so it could be a Lambda type of authorizer

203
00:07:56,250 --> 00:07:57,630
‫which is the custom one,

204
00:07:57,630 --> 00:07:59,370
‫and we need to set up a lot of settings

205
00:07:59,370 --> 00:08:00,890
‫and as you can see for Lambda

206
00:08:00,890 --> 00:08:03,720
‫the most important that we should set up a Lambda function,

207
00:08:03,720 --> 00:08:05,520
‫that will be our authorizer

208
00:08:05,520 --> 00:08:09,900
‫as well as how if we want to cache the authorization

209
00:08:09,900 --> 00:08:12,220
‫which is definitely recommended.

210
00:08:12,220 --> 00:08:14,430
‫Or, we can use a Cognito User Pool

211
00:08:14,430 --> 00:08:16,440
‫in which case it's much simpler to setup,

212
00:08:16,440 --> 00:08:17,690
‫We should just send

213
00:08:19,060 --> 00:08:21,910
‫identify the ARN of our Cognito User Pool,

214
00:08:21,910 --> 00:08:24,030
‫then click on create and we're good to go.

215
00:08:24,030 --> 00:08:25,330
‫Now security is a lot advanced,

216
00:08:25,330 --> 00:08:27,100
‫I just wanted to show you the options in the console,

217
00:08:27,100 --> 00:08:28,880
‫in case you want to have it play with it.

218
00:08:28,880 --> 00:08:31,830
‫But that's just for me. I will see you in the next lecture.