Learn how Monash University used Amazon API Gateway and AWS serverless technologies to build, secure, deploy, and operate private APIs for security automation across different AWS accounts, as part of their journey into DevSecOps. Uncover API Gateway private endpoints and discuss best practices for network connectivity, authentication, deployment, and monitoring. Learn how to set up private API connectivity to automate your services in AWS. Speakers: James Lambeth, Senior Enterprise Security Architect, Monash University & Steve Gillard, Solutions Architect, AWS

1. P U B L I C S E C T O R
S U M M I T
Canberra, ACT

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Building Private APIs for Security Automation
Steven Gillard
Solutions Architect
AWS Public Sector
James Lambeth
Enterprise Security Architect
Monash University

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What are my options?
Consumers
AWS Account 1
Amazon VPC
Secured
resources
AWS Account 2
Amazon VPC

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AND

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

6. Completely manual
The old way
AWS Cloud
Amazon VPC
Amazon VPCAmazon VPC
Web application
firewall
Amazon CloudFront
Security teamOperations team
Backend web
server
Backend web
server
Project team/faculty
members
End users

7. Phase one – prototype
The new way
AWS Cloud
Amazon VPC
AWS Secrets
Manager
Web application
firewall
AWS Lambda
function
Amazon DynamoDB
Amazon API
Gateway
Operations team

8. What next?
We still had a few outstanding questions…
• How do we make the API private?
• How can we make the API more resilient?
• How do the operations team call the API?
• How do we package the API for deployment?

9. Phase two – more features
The new way
AWS Cloud
Amazon VPC
AWS Secrets
Manager
AWS Lambda
Function
Amazon CloudFront
Backend web
server
Amazon VPC
Automation
pipeline Amazon DynamoDB
AWS Lambda
function
QueueAmazon API
Gateway
Endpoint
AWS CloudFormation
AWS Lambda
Function
Operations team
Ingress/Egress AccountAutomation Account
Web application
firewall

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Serverless APIs
No infrastructure provisioning,
no management
Automatic scaling
Pay for value Highly available and secure

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What are my options?
Consumers
AWS Account 1
Amazon VPC
Secured
resources
AWS Account 2
Amazon VPC

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
API Gateway private integration
Consumers
AWS Account 1
Amazon VPC
AWS Account 2
Amazon VPC
Amazon API
Gateway
regional
endpoint
Internet
gateway
Network load
balancer
Secured
resource
Private
integration
Public frontend, private backend

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
API Gateway AWS Lambda integration
Consumers
AWS Account 1
Amazon VPC
AWS Account 2
Amazon VPC
Amazon API
Gateway
regional
endpoint
Internet
gateway
Secured
resource
AWS Lambda
proxy
integration
Public frontend, private backend

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API Gateway private endpoints
Amazon API
Gateway
Private
endpoint Secured
resource
AWS Lambda
proxy
integration
Consumer VPC endpoint
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API Gateway private endpoints
Amazon API
Gateway
Private
endpoint
AWS Account 1
Amazon VPC
Secured
resource
AWS Lambda
proxy
integration
AWS Account 2
Amazo
n
VPC
Peering
Central endpoint
Amazon VPC

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API Gateway private endpoints
Amazon API
Gateway
Private
endpoint
AWS Account 1
Amazon VPC
Secured
resource
AWS Lambda
proxy
integration
AWS Account 2
Amazo
n
VPC
Peering
Central endpoint with DNS
Amazon VPC
Route53
private hosted
zone
AssociationRoute 53
Resolver

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Asynchronous API
Consumers
Amazon API
Gateway
Private
endpoint
AWS Account
Amazon VPC
Secured
resource
AWS Account
Amazon VPC
Consumer Amazon VPC endpoint
Amazon SQS
queue
DynamoDB
table
Direct
integration

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API authentication and authorisation
Amazon API
Gateway
Private
endpoint Secured
resource
AWS Lambda
proxy
integration
AWS Lambda authorizer
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC
AWS Lambda
authorizer
Key/
token/
secret

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API authentication and authorisation
Amazon API
Gateway
Private
endpoint Secured
resource
AWS Lambda
proxy
integration
Amazon Cognito
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC
Amazon
Cognito
Internet
gateway
Token

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
API authentication and authorisation
Amazon API
Gateway
Private
endpoint Secured
resource
Lambda
Proxy
Integration
IAM/AWS Sigv4
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC
IAM
Role
Role
API resource
policy
Signed
request Additional
access
check -
optional
External
Auth DB

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
Multiple control points
Amazon API
Gateway
Private
endpoint Secured
resource
AWS Lambda
proxy
integration
Roles and policies
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC
VPC Endpoint
Resource Policy
What APIs can be
accessed through
the endpoint
API Gateway
Resource Policy
Which consumers
can access the APIs
and from where
Role
What the
consumer can
access
Security Groups
Control network
access to resources

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
API resource policies are mandatory
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:<region>:<acct id>:<api id>/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": [
"vpce-XXX“,
“vpce-YYY”
]
}
}
}
Whitelist of allowed
VPC endpoint ID’s

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPC endpoint resource policies
{
"Principal": "*",
"Action": "execute-api:Invoke"
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:<region>:<acct id>:<api1 id>/*",
"arn:aws:execute-api:<region>:<acct id>:<api2 id>/*"
]
}
Whitelist of allowed API’s that can be
invoked through the endpoint

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
API deployment
Serverless application model
AWS::Serverless::Function
AWS::Serverless::SimpleTable
AWS::Serverless::Api
SAM template
AWS CloudFormation
AWS Lambda
function
DynamoDB
table
Amazon API
Gateway
Transform
AWS Lambda function code
OpenAPI spec

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
API deployment
APIGatewayResource:
Type: AWS::Serverless::Api
Properties:
Name: ExampleAPI
StageName: v1
EndpointConfiguration: PRIVATE
DefinitionBody:
Fn::Transform:
Name: 'AWS::Include'
Parameters:
Location: !Ref S3LocationOfAPISpec
OpenAPI spec can
include AWS
CloudFormation
functions
OpenAPI/swagger inclusion

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
OpenAPI spec – API resource policy
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- Ref: APIAccessRole
Action: "execute-api:Invoke"
Resource: "execute-api:/*"
- Effect: Deny
Principal: *
Action: "execute-api:Invoke"
Resource: "execute-api:/*"
Condition:
StringNotEquals:
aws:SourceVpce:
- Ref: VPCEndpointResource
Allow these roles
From these Amazon VPC
endpoint IDs
AWS extension to OpenAPI

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Consumers
Monitoring
Private
endpoint Secured
resource
Logging and end-to-end tracing
AWS Account 1 AWS Account 2
Amazon VPC Amazon VPC
Amazon
CloudWatch
AWS X-Ray
Logs and
metrics
Traces

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Where should I start?
Start experimenting with SAM
https://aws.amazon.com/serverless/sam/
Find pre-built examples in the Serverless Application Repository
https://aws.amazon.com/serverless/serverlessrepo/
Learn PrivateLink Best Practices (re:Invent 2018 session)
https://youtu.be/85DbVGLXw3Y
Get familiar with API Gateway documentation
https://docs.aws.amazon.com/apigateway/index.html