📘 Project: Setting Up Secure Authentication to AWS API

1️⃣ Project Overview

This project demonstrates how to set up secure authentication to AWS APIs using *IAM Policies, **AWS CLI, **AWS Lambda, and *API Gateway.

The goal is to implement robust authentication mechanisms that restrict access to AWS resources through APIs, ensuring only authorized requests can invoke protected services.

2️⃣ Objectives

Create a dedicated IAM User for API authentication.
Install & configure the AWS CLI for secure access.
Deploy a Lambda Function as the backend for API Gateway.
Create and configure an API Gateway resource (/login) with a POST method.
Enable secure permissions for API Gateway to invoke Lambda.
Deploy and test the API securely from the terminal using curl.

3️⃣ Prerequisites

An AWS Account
Installed AWS CLI v2
Basic knowledge of AWS services: IAM, Lambda, API Gateway

4️⃣ Implementation Steps

Step 1: Create an IAM Role

Created an IAM role to encapsulate permissions required for managing EC2 and S3 resources.
This role provides the trust relationship and access model for automation.

Step 2: Create an IAM Policy

Policy granting full access to EC2 and S3:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:*",
        "s3:*"
      ],
      "Resource": "*"
    }
  ]
}

Step 3: Create an IAM User (automation_user)

Created a user named automation_user.
This will serve as the primary entity used by scripts to interact with AWS APIs.

Step 4: Assign User to IAM Role

Linked automation_user to the created IAM role.
Ensures the user inherits necessary permissions.

Step 5: Attach Policy to User

Attached the EC2 + S3 full access policy to automation_user.
Ensures explicit permission enforcement.

Step 6: Create Programmatic Credentials

Generated Access Key ID and Secret Access Key for automation_user.
These are required for authentication via AWS CLI and scripts.

Step 7: Configure AWS CLI

Configured AWS CLI with the generated credentials:
aws configure
aws sts get-caller-identity

5️⃣ API Gateway + Lambda Setup

With secure authentication configured, the next step is to deploy a Lambda-backed API.

Step 1: Create Lambda Function

Python Lambda handler:

def lambda_handler(event, context): return { 'statusCode': 200, 'body': "Hello from Zappy Lambda!" }

Step 2: Create API Gateway Resource

Created /login resource under the root.
Configured POST method.
Integrated method with Lambda using AWS_PROXY.

Step 3: Add Permission for API Gateway to Invoke Lambda

aws lambda add-permission
--function-name zappyLambda
--statement-id apigateway-test-1
--action lambda:InvokeFunction
--principal apigateway.amazonaws.com
--source-arn arn:aws:execute-api:us-east-1:<ACCOUNT_ID>:<API_ID>/*/POST/login

Step 4: Deploy API Gateway

aws apigateway create-deployment
--rest-api-id <API_ID>
--stage-name dev
--region us-east-1

Step 5: Test API Endpoint

curl -X POST https://<API_ID>.execute-api.us-east-1.amazonaws.com/dev/login

✅ Response:

Hello from Zappy Lambda!

6️⃣ Verification

Unauthorized requests return:

{"message": "Missing Authentication Token"}

Authorized POST /login requests return:

Hello from Zappy Lambda!

7️⃣ Conclusion

In this project, we successfully:

Created IAM roles, policies, and users for secure access.
Configured AWS CLI for programmatic authentication.
Designed and deployed a Lambda function with API Gateway.
Ensured only authenticated API requests succeed.

This validates that IAM policies and API Gateway authentication provide robust mechanisms to prevent unauthorized access while enabling controlled API interaction.