Skip to content

Cloud API Security — API Gateway, Rate Limiting & Auth Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud API Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud API security protects REST and GraphQL APIs from abuse, injection attacks, and unauthorized access using API gateways with authentication, Rate Limiting, request validation, and threat detection across AWS, Azure, and GCP.

What You Will Learn

How to secure APIs using cloud-native gateways, implement OAuth 2.0 and API key authentication, apply Rate Limiting and throttling, and protect against common API attacks.

Why It Matters

APIs are the primary attack surface for modern applications. Gartner predicts that API abuses will become the most frequent attack vector by 2027. Every public API needs authentication, throttling, and input validation.

Real-World Use

DodaTech's public API handles 10 million requests daily through AWS API Gateway. Each request requires a valid OAuth 2.0 token, requests over 100 per second per client are throttled, and request bodies are validated against a JSON schema before reaching the backend.

API Security Layers

flowchart LR
  Client[API Client] --> Auth["Authentication\nOAuth 2.0 / API Key"]
  Auth --> Rate["Rate Limiting\n100 req/s per client"]
  Rate --> Validate["Request Validation\nJSON Schema / Content-Type"]
  Validate --> Threat["Threat Detection\nSQLi / XSS / Injection"]
  Threat --> Backend[Backend Service]
  
  Audit[Audit Logging\nEvery Request] --> Auth
  Audit --> Backend
  
  style Auth fill:#f90,color:#fff
  style Rate fill:#390,color:#fff

AWS API Gateway Security

API Gateway supports multiple authentication methods including IAM, Cognito, Lambda authorizers, and API keys.

# Create a REST API with IAM authentication
aws apigateway create-rest-api \
  --name "Secure API" \
  --endpoint-configuration types=REGIONAL

# Get the root resource ID
ROOT_ID=$(aws apigateway get-resources --rest-api-id abc123 --query 'items[0].id' --output text)

# Create a resource with a GET method requiring IAM auth
aws apigateway put-method \
  --rest-api-id abc123 \
  --resource-id $ROOT_ID \
  --http-method GET \
  --authorization-type AWS_IAM

# Enable throttling at the stage level
aws apigateway update-stage \
  --rest-api-id abc123 \
  --stage-name prod \
  --patch-operations '[
    {"op": "replace", "path": "/*/*/throttling/rateLimit", "value": "100"},
    {"op": "replace", "path": "/*/*/throttling/burstLimit", "value": "200"}
  ]'

# Create a usage plan with API key
aws apigateway create-usage-plan \
  --name "Standard" \
  --throttle '{"rateLimit": 100, "burstLimit": 200}' \
  --quota '{"limit": 1000000, "period": "DAY"}'

# Deploy the API
aws apigateway create-deployment \
  --rest-api-id abc123 \
  --stage-name prod
# Output:
# {
#   "id": "abc123def",
#   "stageName": "prod",
#   "createdDate": "2026-06-24T10:00:00Z"
# }

Azure API Management

Azure API Management provides a full API Gateway with built-in policies for authentication, Rate Limiting, and transformation.

# Create an API Management instance
az apim create \
  --name prod-apim \
  --resource-group prod-rg \
  --publisher-name DodaTech \
  --publisher-email admin@dodatech.com \
  --sku-name Premium

# Import an API from OpenAPI spec
az apim api import \
  --resource-group prod-rg \
  --service-name prod-apim \
  --path /api/v1 \
  --specification-path ./openapi.json \
  --specification-format OpenApiJson

# Add rate limiting policy
az apim api policy set \
  --resource-group prod-rg \
  --service-name prod-apim \
  --api-id my-api \
  --policy-xml '<policies>
    <inbound>
      <rate-limit calls="100" renewal-period="60" />
      <check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" />
    </inbound>
  </policies>'

# Enable OAuth 2.0 authentication
az apim authorization-server create \
  --resource-group prod-rg \
  --service-name prod-apim \
  --name azure-ad-auth \
  --display-name "Azure AD" \
  --client-registration-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize \
  --authorization-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize \
  --token-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token \
  --grant-types authorization_code

GCP Apigee

Apigee provides enterprise-grade API management with security policies, analytics, and developer portals.

# Create an Apigee organization
gcloud apigee organizations create \
  --project my-project \
  --analytics-region us-central1 \
  --authorized-network prod-vpc

# Deploy an API proxy
gcloud apigee apis create \
  --organization my-project \
  --api-file ./api-proxy.zip \
  --name secure-api

# Add a security policy with rate limiting and OAuth
# Create a policy XML file and attach to the proxy endpoint
gcloud apigee environments api-deployments create \
  --organization my-project \
  --environment prod \
  --api secure-api \
  --revision 1

# Enable API key verification
gcloud apigee flowhooks attach \
  --environment prod \
  --flowhook PreProxyFlowHook \
  --shared-flow verify-api-key

API Threat Protection

Validate request sizes, block SQL Injection patterns, and verify content types before they reach backend services.

Common Mistakes

  1. No authentication on public APIs: APIs without authentication are fully open. Even internal APIs should require at minimum an API key or service account token.
  2. No Rate Limiting: Without Rate Limiting, a single misbehaving client or DDoS attack can take down the API. Always set per-client rate limits.
  3. Exposing sensitive data in error messages: Detailed error messages leak stack traces, database schemas, and internal state. Return generic error messages to clients.
  4. No request validation: JSON schema validation prevents malformed payloads. Always validate request structure, field types, and size limits.
  5. CORS Misconfiguration: Overly permissive CORS headers allow cross-origin attacks. Restrict CORS to specific trusted origins.

Practice Questions

  1. What authentication methods does AWS API Gateway support?
  2. How does Azure API Management enforce Rate Limiting at the API level?
  3. What security policies does GCP Apigee provide for API protection?
  4. Why should API request bodies be validated against a schema?
  5. How does Rate Limiting protect against API abuse?

Challenge

Create a secure API for a payment processing service. Use AWS API Gateway with Cognito user pool authentication, 50 requests per second Rate Limiting per client, JSON schema validation on the request body, and request size limiting to 1 MB. Deploy the API and test with a valid token (getting rate limited) and an invalid token (getting 401). Write the equivalent configuration for Azure API Management.

FAQ

What is API security in the cloud?

The practice of protecting cloud-hosted APIs through authentication, Rate Limiting, input validation, and threat detection.

How does API Gateway authentication work?

API Gateway can use IAM roles, Cognito user pools, Lambda authorizers, or API keys to verify the identity of API callers.

What is Rate Limiting in API Management?

Rate Limiting restricts the number of API calls a client can make within a time window, preventing abuse and ensuring fair usage.

Does Apigee support OAuth 2.0?

Yes. Apigee provides built-in OAuth 2.0 policies for authorization code, implicit, client credentials, and resource owner password grant types.

Why is request validation important for API security?

Request validation ensures that only well-formed payloads reach backend services, blocking injection attacks, malformed data, and oversized requests.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro