AWS API Gateway Security - AI-Optimized Reference

Configuration That Works in Production

WAF Integration (Critical First Defense)

• Availability: REST APIs only - HTTP APIs have no WAF support
• Cost Impact: $1.00 per web ACL + $1.00 per rule + $0.60 per million requests
• Real Attack Cost: $4K Lambda charges from 50K+ SQL injection requests/minute before proper WAF config
• Performance Breaking Point: UI breaks at 1000 spans, making debugging large distributed transactions effectively impossible

Essential WAF Rules:

• SQL Injection Protection: Catches UNION SELECT and ' OR '1'='1' patterns in query parameters
• XSS Filter: Blocks <script> tags and javascript: attempts
• Rate Limiting: 1000 requests per 5-minute window per IP (adjust for traffic patterns)
• Known Bad IPs: AWS managed rule set blocks Tor exit nodes and known botnets
• Size Restrictions: Reject requests over 1MB body size to prevent DoS attacks

Critical Monitoring Thresholds:

• Set CloudWatch alarms for blocked request spikes
• "AllowedRequests" dropping below 50% of total requests indicates active attack
• 20% 4XX errors = normal mobile app behavior, 50%+ = definite attack

Resource Policies (Kill Switch Configuration)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:*:*:*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": ["203.0.113.0/24", "198.51.100.0/24"]
        }
      }
    }
  ]
}

Critical Warning: This policy blocks everything except specified IP ranges. Test thoroughly on dev stage - engineers have locked themselves out of production deployments.

TLS Configuration Requirements

• API Gateway supports TLS 1.2+ by default (compliant)
• Custom domain certificates require ACM certificates - never upload your own
• Certificate pinning possible but breaks mobile apps during certificate rotation
• Edge-optimized endpoints: TLS terminates at CloudFront, then re-encrypts to API Gateway
• Regional endpoints: Single TLS termination at API Gateway service
• Decision Criteria: Choose regional unless global performance is specifically required

Attack Detection and Response

Performance Impact During Security Incidents

Cold Start Reality During Attacks:

• Java functions: 15-18 seconds first request (Spring Boot worst case)
• Python/Node.js: 1-3 seconds typical, up to 3+ seconds with heavy dependencies
• Go/Rust: 100-300ms unless importing excessive dependencies
• Critical Failure Mode: DDoS attacks cause simultaneous cold starts across entire function fleet
• Breaking Point: Systems handling 50K legitimate requests/minute collapse under 10K attack requests due to cold starts

Connection Pooling Becomes Critical:

• Database connection opening during cold start adds 2-3 seconds latency
• RDS connection limits hit during attack-induced cold start waves

Caching Security Trade-offs

Cache Poisoning Risks:

• Cache authenticated responses → user data leakage
• Cache unauthenticated responses → attackers poison cache
• Safe Pattern: Only cache reference data identical for all users

Cache Invalidation Security Issues:

• Default TTL up to 1 hour maintains cached privileges after revocation
• Manual cache flushing takes 5-15 minutes to propagate across regions
• Real Incident: Terminated employee's admin access cached for 45 minutes after account disable
• Mitigation: Use 60-second TTL max for sensitive operations, skip cache entirely for admin/payment APIs

Throttling That Actually Works

Account-Level Risk:

• Default 10,000 requests/second shared across entire AWS account
• One attacked API can break all other services
• Required: Method-level throttling on sensitive endpoints

{
  "burstLimit": 100,
  "rateLimit": 50
}

Per-Client vs Attack Mitigation:

• Usage plans with API keys: Good for legitimate clients, useless against attackers
• WAF rate limiting: Better for attack mitigation
• Reality Check: Authentication APIs shouldn't accept 1000 requests/second from single IP

Cost and Performance Trade-offs

VPC Integration Performance Penalties

• VPC Links add 100-300ms latency
• Require Network Load Balancers ($16/month minimum)
• VPC cold starts: 10+ seconds while ENIs warm up
• The VPC Tax: Internet → CloudFront → API Gateway → VPC Link → NLB → service = 4-5 network hops minimum

Edge vs Regional for Security Workloads

Aspect	Edge-Optimized	Regional
Client IP Visibility	Shows edge locations, not real IPs	Real client IPs immediately
WAF Log Delay	5-15 minutes from edge locations	Real-time
Security Monitoring	Complex, distributed	Simple, single region
Cost at 1TB/month	+$85 CloudFront charges	No additional charges
Attack Load Distribution	Distributed across edge locations	Concentrated in one region

Decision Criteria: Use regional for internal APIs or real-time security monitoring needs.

Critical Security Misconfigurations

Authentication Reality Checks

• API Keys: Not security - billing and usage tracking only, visible in client code
• IAM Authorization: For AWS services and internal APIs
• Cognito: For user authentication (OAuth, SAML, social logins)
• Lambda Authorizers: Custom auth logic

Biggest Security Mistake

Client-Side Validation Trust: Attackers use curl, not your mobile app. Always validate and authorize server-side. Real attack example: APIs accepting {"userId": "admin", "role": "superuser"} from anyone with curl and JSON knowledge.

Resource Requirements and Costs

DDoS Protection Costs

• AWS Shield: Automatic for API Gateway
• Shield Advanced: $3K/month (only worth it for regular attacks or compliance)
• WAF Rate Limiting: Cheaper alternative for most attacks
• Usage Plans: Set burst limits to prevent bill shock
• Billing Alarms: Essential - DDoS attacks can cost $2K overnight before detection

Provisioned Concurrency Trade-offs

• Cost: $0.015 per GB-second
• Necessity: Required during sustained attacks to prevent cold start collapse
• Reality: Costs add up fast during extended incidents but necessary for business-critical APIs

Logging and Monitoring Costs

Access Logging Financial Impact

• Cost: $0.50/GB CloudWatch Logs charges
• Real Example: $800/month for medium-traffic API access logs
• Mitigation Strategy:
  • Full logging for sensitive APIs (auth, payments, admin)
  • 10% sampling for others using $requestId.substring(0,1) == "1"
• Storage Cost Reality: 100MB daily logs = $15/month in CloudWatch charges

Request/Response Logging

• Full Logging: Great for forensics, will bankrupt you at scale
• Critical Timing: Enable before you need it - investigating security incidents without logs is debugging after deleting all code

Security Feature Comparison: REST vs HTTP APIs

Security Feature	REST API	HTTP API	Production Impact
AWS WAF	✅ Full support	❌ No support	REST Critical - WAF blocks attacks before compute costs
Private Endpoints	✅ VPC-only via endpoints	❌ Internet-only	REST Critical - Internal APIs need VPC isolation
Request Validation	✅ Schema validation at gateway	❌ Lambda code only	REST Advantage - Early blocking saves compute costs
Per-Method Throttling	✅ Granular controls	❌ Basic only	REST Advantage - Critical during targeted attacks
X-Ray Tracing	✅ Full integration	❌ Not supported	REST Advantage - Essential for security incident debugging
Cost During Attacks	Higher per-request	Lower per-request	HTTP Advantage - Every penny matters during DDoS

Compliance Requirements

HIPAA Configuration

• Requires BAA with AWS
• Must enable encryption in transit and at rest
• CloudTrail logging required for access auditing

PCI DSS Requirements

• WAF protection mandatory
• Network segmentation required
• Store sensitive data in Lambda functions, not API Gateway (easier to audit)

SOC 2 Coverage

• API Gateway covered under AWS compliance programs
• CloudTrail logging shows API configuration changes (required for audit trails)
• Real-time monitoring required for security controls

Critical Warnings and Failure Modes

Production Deployment Risks

1. Resource Policy Lockout: Testing IP restrictions on production locks out remote access
2. Certificate Rotation: Mobile apps break when certificates rotate with pinning enabled
3. WAF False Positives: Overly aggressive rules block legitimate traffic
4. Cache Invalidation Delays: Security revocations cached for up to 1 hour
5. Account Throttling: One attacked API breaks all services sharing account limits

Breaking Points and Thresholds

• UI Debugging Limit: 1000 spans before interface becomes unusable
• Cold Start Cascade: 50K legitimate req/min systems fail under 10K attack requests
• Corporate Proxy Compatibility: WebSocket APIs break with proxy upgrade header issues
• Lambda Timeout Reality: 5-second timeouts too aggressive during cold start waves
• Connection Pool Exhaustion: RDS connections become bottleneck during attack-induced cold starts

Real-World Attack Costs

• SQL Injection Campaign: $4K Lambda charges in single afternoon
• DDoS Without Protection: $10K API Gateway charges in one day
• Unmonitored Attack: 90% traffic was attacks, only discovered at billing time
• Cache Security Bypass: Admin access cached 45 minutes after termination

Implementation Priority Matrix

Immediate (Day 1)

1. Enable WAF on REST APIs with managed rule sets
2. Set billing alarms for API Gateway and Lambda costs
3. Configure CloudWatch alarms for 4XX/5XX spikes
4. Implement resource policies for admin/internal APIs

Short-term (Week 1)

1. Enable access logging with cost-conscious sampling
2. Configure method-level throttling on sensitive endpoints
3. Set up usage plans for legitimate client rate limiting
4. Implement proper authentication (not API keys for security)

Medium-term (Month 1)

1. Optimize cold start performance for security incident scenarios
2. Implement cache invalidation procedures for security revocations
3. Set up X-Ray tracing for security incident investigation
4. Configure provisioned concurrency for business-critical functions

This reference provides the technical foundation for implementing AWS API Gateway security that survives production traffic and compliance requirements while managing costs during security incidents.