I deployed my Java Spring Boot application with AWS Elastic Beanstalk as my backend server serving requests from my frontend React web application deployed in AWS S3 bucket. It is then served via AWS Cloudfront.
Now I have configured the Security Group of my EC2 instances to only accept incoming requests from my application load balancer so that part is secured but the application load balancer still accepts requests from the public via port 443 HTTPS.
I want to only allow end users accessing my website to be able to call the api.xxxx.com and no one should be able to make any requests to api.xxxx.com directly. I have configured CORS origin to only allow from my xxxx.com domain but I can still make API calls directly to api.xxxx.com via Postman locally which should not happen. By default the application load balancer created by Elastic Beanstalk allows connection from 0.0.0.0.
I have tried to configure my load balancer’s security group’s source to my S3 bucket and cloudfront’s prefix on port 80 – https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/ but that made the website not able to make API calls to the Elastic Beanstalk URL at all.
Rough Architecture Diagram
Internet (end users) -> AWS Cloudfront -> AWS S3 Bucket (React Web App)
| |
v |
AWS Elastic Beanstalk (to fetch data) <---------------------|
I am aware that hosting Elastic Beanstalk app in private subnet would be able to secure the endpoints but at this point I want to save cost and host in public subnet since I would need NAT Gateway to route the requests from public subnet to private subnet.
How can I then secure the connection to my Elastic Beanstalk and only allow the website make API calls from the root domain?
2
Answers
That won’t work at all. The React web app does not run in the S3 bucket (or CloudFront). The S3 bucket (and CloudFront) just serves the raw files up to your end user’s web browsers. The code runs in each user’s web browser. The source IP of the backend API requests would be the IP address of each user’s laptop/desktop computer. There is no way to lock that down further in the security group unless you know the IP address of every user of your application.
If you moved the load balancer to a private subnet, with a NAT Gateway, nobody would be able to access the load balancer at all. That would completely remove the load balancer from the Internet. Moving the EC2 instances to private subnets would only lock down how those EC2 instances access the Internet when they do things like downloading OS security updates. The security group configuration already has the EC2 instances locked down so that only the load balancer can access them.
If you want to lock down your backend so that only requests originating from your website’s domain are accepted, you would do that via an HTTP
Hostheader validation inside your application server. Note that this is trivial to "spoof" in HTTP requests, so it doesn’t really add much security.@Mark B has covered almost all the points. I just had one more thing, which can add a little extra security.
You can configure your Application Load Balancer to only forward requests that contain a specific header. Refer this link to learn how to do this.
Though, this would still allow Postman or other clients if they also include the same header while hitting your API. However, this can potentially reduce the number of attacks from bots if they blindly hit your API.