Table of Content
The popularity of cloud computing services has increased drastically recently, with Amazon Web Services (AWS) being one of the most widely used cloud computing platforms. At the beginning of 2023, AWS had a market share of approximately 33%, the largest cloud service provider globally!
AWS provides various services that enable organizations to build scalable and secure applications. One of the essential services offered by AWS is the API Gateway, which allows organizations to create, publish, and manage APIs that can be easily integrated with other AWS services.
However, as with any web application, security is a major concern when using API Gateway. To address this issue, AWS provides various security mechanisms that organizations can implement, such as rate limiting, authentication, and authorization.
This blog will explore one of the authentication mechanisms available for API Gateway - JSON Web Tokens (JWTs) and Custom JWT Authorizers. We will discuss what they are, how they work, and how they should be used to secure an API Gateway.
JSON Web Tokens (JWTs) are widely used to authenticate users and transmit information securely between systems. A JWT consists of a header, payload, and signature.
The header contains two parts: the type of token, which is JWT, and the signing algorithm used to create the signature. The signing algorithm can be HMAC, SHA256, RSA, or any other algorithm that can be used to create a digital signature.
The payload contains claims, which are statements about the user, such as their name, email address, and other identifying information. These claims can be classified into registered, public, and private.
The JWT specification predefines registered claims, while the user defines public claims. Private claims are used to share information between parties that agree to use them.
The signature is used to verify the sender of the JWT and to ensure that the message hasn't been tampered with during the process of transmission.
When a user logs in to any web application, the server creates a JWT containing the user's ID and any other relevant information. The server then signs this JWT using a secret key, which ensures that no one else cannot tamper with it. The server then sends this JWT to the client, which stores it in either local storage or as a cookie.
When the user makes a subsequent request to the server, the client sends the JWT along with the request. The server then verifies the signature of the JWT to ensure that the server generated it and that it hasn't been tampered with.
If the signature is valid, the server extracts the user ID and any other relevant information from the JWT. It uses it to authenticate and authorize the user for the requested resource.
A custom JWT authorizer is a type of Lambda function that we can create/configure to control access to API Gateway. It allows us to customize the authentication and authorization logic instead of using API Gateway's built-in mechanisms.
We can authenticate users or devices and authorize their access to our API with custom authorizers. For example, we can use a custom authorizer to authenticate users with a JWT or check if a user has the necessary permission to access a particular resource.
To use a custom authorizer with AWS API Gateway, we need to define it as a Lambda function that will handle the incoming requests and provide the authorization decision to the API Gateway.
Once we have created the function, we need to specify it in the API Gateway's configuration by adding it as an authorizer to a resource. When a request is made to our API, the API Gateway will invoke the custom authorizer function and pass information about the incoming request.
The custom authorizer function should perform all the necessary authentication and authorization checks to determine if the request should be allowed or denied.
These checks could include validating the token, checking if the user has the required permission to access a particular resource, or any other custom logic that needs to be performed to ensure the security of the API.
Once the authentication and authorization checks are complete, the custom authorizer function should return a response to the API Gateway indicating whether the request is allowed or denied.
The API Gateway will pass the request to the specified resource if allowed. However, if the request is denied, the API Gateway will return an error to the client, indicating that the user is not authorized to access the requested resource.
Using custom authorizers, we can customize the authentication and authorization logic for our APIs instead of relying on the built-in mechanisms provided by the API Gateway. This gives us greater flexibility and more control over the security of our APIs.
To learn more about using custom authorizers and securing your AWS API Gateway, consider enrolling in the brand-new course on AWS API Gateway available now on AppSecEngineer.
Securing API Gateway with Custom JWT Authorizers is a vital aspect of ensuring the safety of your organization's data. JWTs provide a standard way of transmitting information securely between systems. At the same time, Custom JWT Authorizers allow you to customize authentication and authorization logic instead of using the built-in mechanisms of API Gateway.
If you're interested in knowing more about AWS API Gateway and its security mechanisms, including having access to hands-on labs on using JWTs with your APIs, check out the brand-new course on AWS API Gateway available now on AppSecEngineer.
This course, along with over 10 other courses with hands-on labs on AWS security with 40+ AWS Security Challenges on AppSecEngineer, can help you gain the knowledge you need to secure your organization's data in the cloud.
So, what are you waiting for? Sign up for AppSecEngineer's AWS Security Specialist Bundle today.
Rajesh Kanumuru works at we45 as a Cloud Security Lead. Rajesh is a builder and breaker of Cloud applications. He has created some pioneering works in the area of Cloud Security. He is actively researching the effects of emerging technologies on cloud security. Since 2020, Rajesh has mostly been involved with research, development and building solutions around we45 and AppSecEngineer's training offerings. He consults with organizations to help them implement Cloud Security successfully. Rajesh has co-authored and trained a course on Purple Team AWS that was delivered by we45 at BlackHat USA. When AFK, he can be found on the cricket pitch.