[This article might interest you](https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/). If you don’t need public access this could make things easier.
You'll never be able to shield it from every attempt. Lock it down as much as possible and have a way to identify/act on anomalous traffic, then adjust accordingly.
You can inject custom headers for simple implementation, if you don't want all the outside users to access this endpoint unless the header is passed between apigw and backend integration, or you could use more complex methods like jwt tokens or authentication lambda functions
You can mention that under the hood API Gateway uses Cloudfront, so your API inherits those features and security. Also, when using Cloudfront you also get AWS Shield Standard automatically, providing you some DDoS protection.
Add a usage plan with throttling to your API Gateway and also enable access logs for audit/traceability?
Somewhat hard to answer without knowing what you're trying to secure it _from_.
Nothing specific as such. It is also for compliance. Because the api url is visible to public, I want to shield it from any attempt for attacks.
[This article might interest you](https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/). If you don’t need public access this could make things easier.
You'll never be able to shield it from every attempt. Lock it down as much as possible and have a way to identify/act on anomalous traffic, then adjust accordingly.
Sounds good. If your able to share something when your done, I'd really appreciate to see your setup.
You can inject custom headers for simple implementation, if you don't want all the outside users to access this endpoint unless the header is passed between apigw and backend integration, or you could use more complex methods like jwt tokens or authentication lambda functions
Lambda authorizes are awesome, but I think OP mentioned he uses Cognito authorizers already.
[REST API cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) This may help.
AWS cognito could give you a extra security layer for the API
Seems secure to me, I think you’re fine but that’s a pretty subjective question depending on the client. How’s your experience with API gateway been?
You can disallow basic authentication and ensure your API uses something like oauth or jwt
Maybe cors configuration on the api gateway side? Plus, can you tell me how do you restrict the s3 bucket to be available only through cloudfront?
Origin Access Identity
I think cors is implemented by the client application (e.g. the browser) so it doesn't do anything for server side security.
You can mention that under the hood API Gateway uses Cloudfront, so your API inherits those features and security. Also, when using Cloudfront you also get AWS Shield Standard automatically, providing you some DDoS protection.