BLOG

Enhancing AWS API Gateway Security: Best Practices for API Management

Dave Morrissey Miniatura
Dave Morrissey
Published April 09, 2024

APIs make it easier to integrate services, connect data, or make updates, which is why they’re so prevalent in modern applications. As organizations continue to modernize their app portfolios, the number of APIs in use is projected to exceed one billion by 2031.1 Tracking—let alone securing—all of those APIs is a challenge, leading to organizations dealing with a number of unmanaged “shadow” APIs in their environment.

Unfortunately, attackers have realized that APIs are often an easier target than applications, demonstrated by the fact that 90% of web-based cyberattacks target API endpoints, per F5 analysis.2 Unmanaged APIs create a particular risk, as you can’t secure what you can’t see. Many APIs are also built by different teams or even other companies than those building the apps, limiting visibility into potential risks.

Navigating APIs and the shared responsibility model

Effectively managing and securing large volumes of APIs requires a multi-layered solution. For AWS users, Amazon API Gateway is a fully managed service that enables developers to create, publish, maintain, monitor, and secure APIs at any scale. API Gateway supports a variety of backend integrations, enabling containerized, serverless, and traditional instance-based workloads.

However, security is a shared responsibility between AWS and its customers. While AWS is responsible for protecting infrastructure and services, customers must also secure their data and applications.

AWS recommends the following security design principles.3

  • Mitigate distributed denial-of-service (DDoS) attack effects
  • Implement inspection and protection using a web application firewall (WAF)
  • Enable auditing and traceability with near real-time monitoring
  • Automate security best practices
  • Apply security at all layers for a defense-in-depth approach

Secure APIs on AWS with F5

As an AWS partner, F5 offers security that works with Amazon API Gateway to secure your apps and APIs. F5 BIG-IP Advanced WAF or F5 Distributed Cloud WAF can identify malicious traffic trying to reach the Amazon API Gateway or your API services. You can deploy the WAF in front of or behind Amazon API Gateway. However, deploying it in front of the gateway has the added benefit of preventing malicious API calls that will cost you money.

F5 WAF solutions use behavioral analytics to accurately identify threats and provide layer 7 DoS mitigation, application-layer encryption, and threat intelligence services. Deploying a WAF protects your applications and APIs against attacks, including those in the OWASP Top 10.

Another important requirement for API protection is discovery. Integrate F5 Distributed Cloud API Security with your CI/CD pipeline to capture API changes without disrupting the development process. Upload an existing API schema to enforce appropriate API behavior and automatically generate policies based on app-to-app and API-to-API patterns. F5 Distributed Cloud API Security also controls connections and monitors for anomalous behavior in API traffic, allowing it to block suspicious activity.

Bots pose another major threat to API security. Several of the OWASP API Security Top 10 threats are weaknesses that can be easily exploited by bots, such as unrestricted resource consumption or broken authentication. Adding F5 Distributed Cloud Bot Defense enables a combination of human experts and machine learning to detect malicious bot traffic while admitting legitimate users and helpful bots.

Get multi-layered API security

F5 offers everything you need to protect your APIs with F5 Distributed Cloud Web App and API Protection (WAAP), providing multi-layered security with unified management. Distributed Cloud WAAP brings consistent security to your apps and APIs no matter where they’re deployed—on AWS, other public or private clouds, on premises, or at the edge.

Find F5 Distributed Cloud WAAP on the AWS Marketplace, allowing you to easily add protection and uphold your end of the shared responsibility model.

Learn more about F5 solutions for AWS at f5.com/aws.