amazon-cloudfront-api-key-rotator
Advanced tools
Automatic API key rotation for CloudFront with Secrets Manager and Lambda
In many architectures using Amazon CloudFront with API Gateway, an API key is used to secure communication between CloudFront and the origin (API Gateway). This key is typically passed as a custom header in requests from CloudFront to the origin. While this setup enhances security, it's crucial to regularly rotate these API keys to maintain a robust security posture.
This project provides an automated solution for rotating API keys used in CloudFront distributions. It leverages AWS Lambda and Secrets Manager to securely generate, test, and update API keys without manual intervention.
The automated rotation process consists of four main steps:
exceptions.py: Defines custom exceptions for the rotation process.utils.py: Contains utility functions for interacting with CloudFront, Secrets Manager, and performing key rotation steps.handler.py: Implements the Lambda function handler that orchestrates the rotation process.Build and deploy a Lambda function that contains the amazon-cloudfront-api-key-rotator using your preferred method (e.g., AWS Console, CloudFormation, or Terraform). Function configuration:
api_key_rotator.handler.lambda_handlerConfigure Secrets Manager to use this Lambda function for rotation.
| Variable | Description | Default Value |
|---|---|---|
CLOUDFRONT_DISTRIBUTION_ID | ID of the CloudFront distribution to update | None (Required) |
HEADER_NAME | Name of the custom header for the API key | "x-origin-verify" |
ORIGIN_URL | URL of the origin (API Gateway) to test the rotated API key against | None (Required) |
SECRET_KEY_NAME | Key name for storing the API key in Secrets Manager | "HTTP_API_KEY" |
SECRET_KEY_LENGTH | Length of the generated API key | 32 |
Ensure the Lambda function has the necessary permissions to:
Manage secrets in AWS Secrets Manager:
secretsmanager:GetSecretValuesecretsmanager:PutSecretValuesecretsmanager:DescribeSecretsecretsmanager:UpdateSecretVersionStageAccess and update CloudFront distributions:
cloudfront:GetDistributioncloudfront:GetDistributionConfigcloudfront:UpdateDistributionHere's a basic example of how to use the rotator in your AWS environment:
Create a secret in AWS Secrets Manager with the initial API key:
{
"HTTP_API_KEY": "your-initial-api-key"
}
Configure the secret to use the Lambda function for rotation.
Update your CloudFront distribution to use the custom header (e.g., "x-origin-verify") with the current API key value.
The rotation will occur automatically based on the rotation schedule you set in Secrets Manager.
This project is licensed under the MIT License. See the LICENSE file for details.
This software product is not affiliated with, endorsed by, or sponsored by Amazon Web Services (AWS) or Amazon.com, Inc. The use of the term "AWS" is solely for descriptive purposes to indicate that the software is compatible with AWS services. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates.
FAQs
Automatic API key rotation for CloudFront with Secrets Manager and Lambda
We found that amazon-cloudfront-api-key-rotator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.