![]() The "right" way would be to use the custom authorizor in API Gateway as mentioned by others. or not?Īny better ideas? Or perhaps "the right way" to do it exists but I overlooked it? Should work, it's more flexible, but a bit dirty. A dummy (!) custom authorizer could be used, with the Token validation expression actually checking a secret that is passed as an Origin Custom Header from Cloudfront.That could work, as long as we don't want to use API keys for some other purpose, so I'm not entirely happy about that. I could require an API key in APIG, and pass it as a Origin Custom Header from Cloudfront.If I could assign an IAM User (or role?) to the Cloudfront distro, I could use APIG IAM feature, but I don't see how this can be done.I was hoping to be able to use the 'Origin Access Identities' similar as for S3, but don't see how to do that.Now to make the solution secure rather than just obscure, I want to enforce that the APIs can only be accessed through the Cloudfront distro. ![]() It's a bit of a shame, especially since APIG now supports custom domains natively, but it should work. ![]() I want to put WAF in front of API Gateway, and with the (little) info I find that is only possible by manually putting an extra Cloudfront distribution with WAF enabled, in front of APIG. ![]()
0 Comments
Leave a Reply. |