AWS Cloudfront (with WAF) + API Gateway: how to force access through Cloudfront?

I want to put WAF in front of API Gateway, and with the (little) info I find that is only possible by manually putting an extra Cloudfront distribution with WAF enabled, in front of APIG. It's a bit of a shame, especially since APIG now supports custom domains natively, but it should work.

Now to make the solution secure rather than just obscure, I want to enforce that the APIs can only be accessed through the Cloudfront distro. What is the best option to do this?

  • I was hoping to be able to use the 'Origin Access Identities' similar as for S3, but don't see how to do that.
  • If I could assign an IAM User (or role?) to the Cloudfront distro, I could use APIG IAM feature, but I don't see how this can be done.
  • I could require an API key in APIG, and pass it as a Origin Custom Header from Cloudfront. That could work, as long as we don't want to use API keys for some other purpose, so I'm not entirely happy about that.
  • A dummy (!) custom authorizer could be used, with the Token validation expression actually checking a secret that is passed as an Origin Custom Header from Cloudfront. Should work, it's more flexible, but a bit dirty... or not?

Any better ideas? Or perhaps "the right way" to do it exists but I overlooked it?

Answers 1

  • I am from API Gateway.

    Unfortunately, the best solution we have as of now is, to inject an origin custom header in CloudFront and validate that in a custom authorizer (option 4 in your question).

    We are already aware of this limitation and not-so-great workaround. We are looking to provide better WAF integration in future, but we do not have an ETA.


Related Articles