How to Use AWS IAM to Secure API Access with Real-World Examples

Real-World Problem: Controlling Access to Your APIs

In modern applications, APIs are the backbone of communication between services and clients. Whether you’re providing public APIs or internal microservices, controlling who can access these APIs is crucial to prevent unauthorized access and protect sensitive data.

This tutorial demonstrates how to use AWS IAM to secure API access, using Amazon API Gateway to enforce permissions for different types of users and services.

Why Use AWS IAM for API Security?

1. Fine-Grained Access Control: Grant permissions based on specific actions and resources.
2. Secure Temporary Access: Use IAM Roles to provide temporary, scoped access to APIs.
3. Seamless Integration: Combine IAM with API Gateway for secure, scalable API management.
4. Audit and Compliance: Track API access and permissions with AWS CloudTrail and IAM Access Analyzer.

How the Solution Works

1. Client Authentication: Use IAM credentials or roles to authenticate API requests.
2. Policy Enforcement: IAM policies define who can access which APIs and actions.
3. Resource-Level Permissions: Specify access for individual API routes or methods (e.g., GET, POST).

Step-by-Step: Securing an API with AWS IAM

Step 1: Set Up an API Gateway

1. Create a REST API:
   • Go to the API Gateway Console → Create API → Select HTTP API.
   • Name your API (e.g., ProductAPI).
2. Define API Endpoints:
   • Add a /products endpoint with methods like GET (retrieve products) and POST (add products).
3. Deploy the API:
   • Click Deploy API → Choose a stage (e.g., prod).

Step 2: Create IAM Policies for API Access

1. Policy for Read-Only Users: Allow users to access only the GET /products endpoint:

{
    “Version”: “2012-10-17”,
    “Statement”: [
        {
            “Effect”: “Allow”,
            “Action”: “execute-api:Invoke”,
            “Resource”: “arn:aws:execute-api:us-east-1:123456789012:api-id/prod/GET/products”
        }
    ]
}

2. Policy for Admin Users: Allow full access to all API methods:

{
    “Version”: “2012-10-17”,
    “Statement”: [
        {
            “Effect”: “Allow”,
            “Action”: “execute-api:Invoke”,
            “Resource”: “arn:aws:execute-api:us-east-1:123456789012:api-id/prod/*”
        }
    ]
}

Step 3: Create IAM Users and Groups

1. Go to the IAM Console → Users → Add Users.
2. Add users like john-readonly and jane-admin.
3. Assign users to groups:
   • ReadOnly-Group with the read-only policy.
   • Admin-Group with the admin policy.

Step 4: Test API Access

1. Generate Access Keys:
   • For each user, create an access key pair (Key ID and Secret Key).
2. Use AWS CLI to Test:
   • Test read-only access

aws apigatewayv2 invoke –api-id api-id –stage-name prod –resource-id products –http-method GET –region us-east-1

• Test admin access

aws apigatewayv2 invoke –api-id api-id –stage-name prod –resource-id products –http-method POST –region us-east-1 –body ‘{“name”: “New Product”}’

Verify that john-readonly cannot execute POST requests.

Step 5: Secure Internal Services with IAM Roles

1. Create a Role for an EC2 Instance:
   • Go to IAM Console → Roles → Create Role.
   • Select EC2 as the trusted entity.
   • Attach the read-only policy.
2. Assign the Role to an EC2 Instance:
   • Launch an EC2 instance and attach the IAM role.
   • Use the AWS SDK from the instance to authenticate API requests.

Real-Life Example: Securing a Multi-Tier Web App

A retail company uses IAM to secure its APIs:

1. Public API:
   • Customers access GET /products with IAM-based authentication.
   • Policies restrict access to read-only actions.
2. Internal API:
   • Admins access POST /products to add new products.
   • API access is restricted to users in the admin IAM group.
3. Microservices:
   • Backend services running on EC2 use IAM roles to authenticate requests to internal APIs.

Pro Tips for Securing APIs with IAM

1. Use IAM Condition Keys:
   Add conditions like IP addresses or time-based access to fine-tune permissions.
2. Leverage Resource Policies:
   Combine IAM policies with API Gateway Resource Policies to restrict access to specific source IPs or VPCs.
3. Monitor API Activity:
   Enable CloudTrail to log all API invocations and detect unauthorized access.
4. Use Tokens for External Clients:
   For external applications, consider using Cognito or API keys for authentication in combination with IAM.

Pricing Overview

1. IAM: No additional cost for creating users, roles, and policies.
2. API Gateway:
   • $3.50 per million requests for HTTP APIs.
   • Additional charges for data transfer.

Conclusion: Secure APIs with Confidence

AWS IAM is a powerful tool for managing API access and enforcing security best practices. By combining IAM policies with API Gateway, you can create a secure, scalable infrastructure for public and internal APIs.

Ready to secure your APIs? Start implementing these IAM practices today and ensure your APIs are safe, scalable, and compliant.