Security for API Gateway

Question

I was wondering how I can/should 'protect' my API endpoint (which triggers a Lambda function.) As the endpoint is publicly visible, it seems that someone could spam it with requests.
From what I've read, AWS will as a matter of course, offer some throttling and perhaps some other security? But, I just wondered if there was any guidance, or best practice to follow here? (i.e. should the endpoint  be accessed through cloudfront?)
Any direction or guidance would be really helpful!

Accepted Answer

API Gateway provides a number of ways to protect your API from certain threats, like malicious users or spikes in traffic. You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).

* Configuring mutual TLS authentication for a REST API
* Generate and configure an SSL certificate for backend authentication
* Using AWS WAF to protect your APIs
* Throttle API requests for better throughput
* Creating a private API in Amazon API Gateway

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-protect.html

On top of that you have access control
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Answer

You can configure SSL, implement authentication/Authorization before processing request and Rate limiting 
https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-protect.html

Security for API Gateway

Relevant content