SEC 1: How do you control access to your Serverless API?

Use authentication and authorization mechanisms to prevent unauthorized access, and enforce quotas for public resources.

Resources

Controlling and Managing Access to a REST API in Amazon API Gateway
Controlling access to GraphQL APIs in AWS AppSync

Best Practices:

Improvement Plan

Use appropriate endpoint type and mechanisms to secure access to your API

  • Determine your API consumer and choose an API endpoint type.
  • Implement security mechanisms appropriate to your API endpoint.
  • Use authentication and authorization mechanisms

  • Evaluate authorization mechanisms.
  • Enforce authorization for non-public resources within your API.
  • Scope access based on identity’s metadata

  • Review levels of access, identity metadata and segregate consumers into logical groups/tiers.
  • Implement authorization logic based on authentication metadata.