Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu
CloudFront - API Gateway Security: API Key Rotation

CloudFront - API Gateway Security: API Key Rotation

Ensuring Secure Communication Between CloudFront and API Gateway: Automated API Key Rotation using AWS Lambda.

awsapi-gatewayapi-keycloudfrontcloud-operations
Frank Pimienta
Published Mar 22, 2025
Last Modified Mar 23, 2025
Comments
API keys are essential security credentials serving as unique identifiers for authenticating and authorizing requests to Application Programming Interfaces (APIs). In AWS environments, these keys function as "digital keys," facilitating secure communication between services like Amazon CloudFront and Amazon API Gateway.
Nevertheless, similar to any security credential, API keys carry inherent risks. If compromised, stolen, or leaked, they may grant unauthorized access, leading to serious repercussions. This highlights the importance of regularly rotating keys as a crucial preventive measure in a strong cloud security strategy.
Amazon API Gateway includes a "key store" feature that allows you to create or import API keys. These keys, which are securely stored in Amazon API Gateway, not only authenticate the identity of the requester but also facilitate crucial functions like rate limiting (throttling) and request quotas through usage plans.
Indeed, API Gateway enhances security through Resource Policies. These policies, formatted in JSON, manage access according to specific conditions, including IP addresses, network segments, VPC endpoints, and IAM roles. Nevertheless, API keys are still vital for ensuring secure communication channels between services such as CloudFront and API Gateway.

Architecture Overview

Today, we will delve into a serverless approach for automating API key rotation between API Gateway and CloudFront using AWS Lambda. This solution notably enhances our security by eliminating the manual process, which is often susceptible to errors or oversight.
Image not found
The solution architecture includes:
  • CloudFront manages client requests, passing them through to the API Gateway while including the API key in a custom header labeled "x-api-key." This key serves only as a "shared secret" between these two AWS services, establishing a secure and authenticated communication channel.
  • An API Gateway set up to require an API key for each request, granting access solely through CloudFront and blocking direct internet access.
  • A Lambda function that executes the API key rotation process.
  • An EventBridge Scheduler sends required parameters and triggers the Lambda request monthly.
Note: All resources are created in a single AWS account.
This setup requires customers to access the API exclusively via CloudFront, as they lack knowledge or access to the internal communication API key. This separation enhances security and allows for better traffic control to your API.
This automated solution provides numerous significant benefits:
  1. Enhanced Security: Frequent API key rotation greatly minimizes vulnerability periods against potential compromises.
  2. Reduced Operational Load: Removes the necessity for manual rotations, allowing personnel to focus on more valuable tasks.
  3. Compliance and Audit: Aids in meeting security standards and maintains a clear log of rotation timings.
  4. Zero Downtime: The architecture guarantees a smooth key transition without any service disruptions.

Automatic Rotation Implementation

The Python-based Lambda function automates the rotation process entirely. It features a comprehensive logging system that aids in troubleshooting and auditing. The function executes these operations:
  1. Check existing API keys: First, locate the specified usage plan to check if an associated API key already exists.
  2. Generate a new API key: Produce a new API key on the API Gateway using the provided name.
  3. Associate the key: Link the new key to the configured usage plan.
  4. Update the CloudFront distribution: Update the "x-api-key" header in the CloudFront origin configuration with the new key value.
  5. Remove the old key: After the CloudFront update is finalized, delete the old API key to maintain a clean environment.
The function needs four configuration parameters, which can be provided as environment variables or through the event that triggers it:
USAGE_PLAN_ID: API Gateway usage plan ID
DISTRIBUTION_ID: CloudFront distribution ID
ORIGIN_ID: Origin ID in distribution
API_KEY_NAME: Name for the new API key
Example:
1
2
3
4
5
6
{
"API_KEY_NAME": "kloudpepper-api-key",
"DISTRIBUTION_ID": "E1MTSB8DGIOBI2",
"ORIGIN_ID": "api-gateway-origin",
"USAGE_PLAN_ID": "0aj0l3"
}
I will provide the code to set up this solution in your AWS environment, consisting of two main components:
  1. Terraform Code: This code is used to provision essential infrastructure components such as API Gateway, CloudFront, Lambda, and EventBridge Scheduler. It provides examples of creating these resources and the necessary configurations for their integration.
  2. Python code

Multi-Account Scenario

The proposed solution assumes that all resources—API Gateway, CloudFront, and Lambda—are hosted within a single AWS account. However, in enterprise environments, it's typical for these services to be spread across multiple accounts to enhance security, support organizational needs, or create clear divisions of responsibility.
If the API Gateway is in a different account from CloudFront, the rotation procedure necessitates extra considerations:
  1. Cross-account roles: To modify the relevant resources, the Lambda function must assume a role in the target account.
  2. Cross-account trust configuration: Establishing trust relationships between the IAM roles of both accounts is essential.
  3. Lambda location: It's essential to determine in which account to deploy the Lambda function—whether in the account where CloudFront resides or where API Gateway is available—given that it requires permissions in both accounts.
I'm providing another Python code for use in the Lambda function, specifically for multi-account situations. Simply include one additional parameter in the already mentioned ones:
ROLE_ARN: The ARN of the role established in the target account that the Lambda will assume.
This cross-account setup introduces some complexity but greatly enhances the security stance by adhering to the principle of least privilege and separating responsibilities among accounts.
This is just one way to incorporate advanced security measures into your AWS architectures. Feel free to tailor and refine this solution to meet the unique requirements of your infrastructure.
Best wishes, and I look forward to our next meeting. Thank you!
 
Comments

Comments

Log in to comment