Secure and Optimize APIs with Amazon CloudFront Using AWS CLI

Takes 90 mins

Amazon CloudFront and AWS WAF are often used together to create a powerful security and performance solution for web applications.

Amazon CloudFront, a content delivery network (CDN), is used to enhance website performance by caching content at edge locations worldwide, thereby reducing latency and providing a faster user experience. AWS WAF is a web application firewall that provides an additional layer of security by inspecting web requests at the application level and filtering out malicious traffic before it reaches backend servers. This combination protects against common web exploits, such as SQL injection and cross-site scripting (XSS), ensuring that only legitimate requests are processed by the application. This, in turn, improves its availability and reduces operational costs.

The architecture you’ll provision in this Cloud Lab to demonstrate performance and security enhancements of the API is given below:

In this Cloud Lab, you’ll build a secure Product Catalog API on AWS by integrating multiple services. You’ll create a DynamoDB table and insert sample product data into it. Next, you’ll configure a Cognito user pool with an app client and domain to handle user authentication.

Using API Gateway, you’ll expose two endpoints:

Public: It retrieves all products via a DynamoDB scan and is open to everyone.
Private: It retrieves a specific product and is protected with Cognito authentication.

You’ll then deploy the API and expose it with a CloudFront distribution for global and cached access. Finally, you’ll enhance security by attaching AWS WAF with rate-limiting and managed rule sets, then test both public and private endpoints: the former is accessible directly, and the latter requires a Cognito JWT token.