Securing AI APIs with API Gateway Usage Plans

Question

Pulumi · Accepted Answer

When you're working with AWS and Pulumi, securing your APIs is a critical step. One of the tools AWS provides for securing APIs is the API Gateway, which can control how clients access your APIs. One feature of the API Gateway is the Usage Plan, which gives you control over who can access your API and how frequently they can call it.

A Usage Plan can specify a throttle to limit the number of API requests users can make within a defined time interval, and it can also configure a quota which limits the total number of requests that can be made in a given time period (day, week, or month). Usage Plans can be associated with API Keys that clients must use to access your API, providing a level of security and abuse protection.

Here's how you would set up an API Gateway with a Usage Plan using Pulumi:

1. Create an API Gateway (Rest API).
2. Define the resources and methods for the API.
3. Create a Usage Plan.
4. Associate the Usage Plan with your API gateway.
5. (Optional) Generate or import API Keys and associate them with the Usage Plan.

Now, let's look at some Python code that defines a secure API Gateway with a Usage Plan using Pulumi.

```python
import pulumi
import pulumi_aws as aws

# Create an AWS API Gateway (Rest API)
rest_api = aws.apigateway.RestApi("MySecureApi",
    description="This is my API for demonstration purposes")

# Define a resource within the API Gateway
resource = aws.apigateway.Resource("MyResource",
    rest_api_id=rest_api.id,
    parent_id=rest_api.root_resource_id,
    path_part="myresource")

# Define a GET method for the resource
get_method = aws.apigateway.Method("MyGetMethod",
    rest_api_id=rest_api.id,
    resource_id=resource.id,
    http_method="GET",
    authorization="NONE")

# Create a Usage Plan to manage API access
usage_plan = aws.apigateway.UsagePlan("MyUsagePlan",
    name="DailyUsagePlan",
    description="A daily usage plan for our API",
    api_stages=[{
        "apiId": rest_api.id,
        "stage": get_method.stage_name,
    }],
    # Define the quota (e.g., max requests per day)
    quota_settings={
        "limit": 1000,
        "offset": 1,
        "period": "DAY",
    },
    # Define the rate limit (e.g., requests per second)
    throttle_settings={
        "rateLimit": 5,
        "burstLimit": 10
    })

# (Optional) Create an API Key to use with the Usage Plan
api_key = aws.apigateway.ApiKey("MyApiKey",
    description="API Key for MySecureApi")

# Associate the API Key with the Usage Plan
usage_plan_key = aws.apigateway.UsagePlanKey("MyUsagePlanKey",
    key_id=api_key.id,
    key_type="API_KEY",
    usage_plan_id=usage_plan.id)

# Export the API's invocation URL for easy access
pulumi.export('invoke_url', pulumi.Output.concat("https://", rest_api.execution_arn, ".amazonaws.com/"))

# Export the API Key (NOT recommended for production, only for initial testing)
pulumi.export('api_key', api_key.value)
```

This Pulumi program would provision an AWS API Gateway with a single resource and a GET method. The Usage Plan is set to allow up to 1000 requests per day with a rate limit of 5 requests per second and a burst capability of 10 requests at a time. An API Key is also generated and associated with the Usage Plan, which would be used to throttle and control access to the API.

**Please note**: Exporting the API Key value, as shown in the last line, is not recommended for production environments. Generally, you'd want to keep such sensitive information out of your outputs.

Remember to install the Pulumi AWS SDK using pip if you haven't done so:

```bash
pip install pulumi_aws
```

After writing the above code in a `__main__.py` file, you can deploy the infrastructure using Pulumi CLI commands:

```bash
pulumi up
```

This command will prompt you to review the changes before they are applied to your AWS environment. After confirmation, Pulumi proceeds with the creation of the specified resources.