Cloud API Security — API Gateway, Rate Limiting & Auth Guide
In this tutorial, you'll learn about Cloud API Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud API security protects REST and GraphQL APIs from abuse, injection attacks, and unauthorized access using API gateways with authentication, Rate Limiting, request validation, and threat detection across AWS, Azure, and GCP.
What You Will Learn
How to secure APIs using cloud-native gateways, implement OAuth 2.0 and API key authentication, apply Rate Limiting and throttling, and protect against common API attacks.
Why It Matters
APIs are the primary attack surface for modern applications. Gartner predicts that API abuses will become the most frequent attack vector by 2027. Every public API needs authentication, throttling, and input validation.
Real-World Use
DodaTech's public API handles 10 million requests daily through AWS API Gateway. Each request requires a valid OAuth 2.0 token, requests over 100 per second per client are throttled, and request bodies are validated against a JSON schema before reaching the backend.
API Security Layers
flowchart LR Client[API Client] --> Auth["Authentication\nOAuth 2.0 / API Key"] Auth --> Rate["Rate Limiting\n100 req/s per client"] Rate --> Validate["Request Validation\nJSON Schema / Content-Type"] Validate --> Threat["Threat Detection\nSQLi / XSS / Injection"] Threat --> Backend[Backend Service] Audit[Audit Logging\nEvery Request] --> Auth Audit --> Backend style Auth fill:#f90,color:#fff style Rate fill:#390,color:#fff
AWS API Gateway Security
API Gateway supports multiple authentication methods including IAM, Cognito, Lambda authorizers, and API keys.
# Create a REST API with IAM authentication
aws apigateway create-rest-api \
--name "Secure API" \
--endpoint-configuration types=REGIONAL
# Get the root resource ID
ROOT_ID=$(aws apigateway get-resources --rest-api-id abc123 --query 'items[0].id' --output text)
# Create a resource with a GET method requiring IAM auth
aws apigateway put-method \
--rest-api-id abc123 \
--resource-id $ROOT_ID \
--http-method GET \
--authorization-type AWS_IAM
# Enable throttling at the stage level
aws apigateway update-stage \
--rest-api-id abc123 \
--stage-name prod \
--patch-operations '[
{"op": "replace", "path": "/*/*/throttling/rateLimit", "value": "100"},
{"op": "replace", "path": "/*/*/throttling/burstLimit", "value": "200"}
]'
# Create a usage plan with API key
aws apigateway create-usage-plan \
--name "Standard" \
--throttle '{"rateLimit": 100, "burstLimit": 200}' \
--quota '{"limit": 1000000, "period": "DAY"}'
# Deploy the API
aws apigateway create-deployment \
--rest-api-id abc123 \
--stage-name prod
# Output:
# {
# "id": "abc123def",
# "stageName": "prod",
# "createdDate": "2026-06-24T10:00:00Z"
# }
Azure API Management
Azure API Management provides a full API Gateway with built-in policies for authentication, Rate Limiting, and transformation.
# Create an API Management instance
az apim create \
--name prod-apim \
--resource-group prod-rg \
--publisher-name DodaTech \
--publisher-email admin@dodatech.com \
--sku-name Premium
# Import an API from OpenAPI spec
az apim api import \
--resource-group prod-rg \
--service-name prod-apim \
--path /api/v1 \
--specification-path ./openapi.json \
--specification-format OpenApiJson
# Add rate limiting policy
az apim api policy set \
--resource-group prod-rg \
--service-name prod-apim \
--api-id my-api \
--policy-xml '<policies>
<inbound>
<rate-limit calls="100" renewal-period="60" />
<check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" />
</inbound>
</policies>'
# Enable OAuth 2.0 authentication
az apim authorization-server create \
--resource-group prod-rg \
--service-name prod-apim \
--name azure-ad-auth \
--display-name "Azure AD" \
--client-registration-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize \
--authorization-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize \
--token-endpoint https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token \
--grant-types authorization_code
GCP Apigee
Apigee provides enterprise-grade API management with security policies, analytics, and developer portals.
# Create an Apigee organization
gcloud apigee organizations create \
--project my-project \
--analytics-region us-central1 \
--authorized-network prod-vpc
# Deploy an API proxy
gcloud apigee apis create \
--organization my-project \
--api-file ./api-proxy.zip \
--name secure-api
# Add a security policy with rate limiting and OAuth
# Create a policy XML file and attach to the proxy endpoint
gcloud apigee environments api-deployments create \
--organization my-project \
--environment prod \
--api secure-api \
--revision 1
# Enable API key verification
gcloud apigee flowhooks attach \
--environment prod \
--flowhook PreProxyFlowHook \
--shared-flow verify-api-key
API Threat Protection
Validate request sizes, block SQL Injection patterns, and verify content types before they reach backend services.
Common Mistakes
- No authentication on public APIs: APIs without authentication are fully open. Even internal APIs should require at minimum an API key or service account token.
- No Rate Limiting: Without Rate Limiting, a single misbehaving client or DDoS attack can take down the API. Always set per-client rate limits.
- Exposing sensitive data in error messages: Detailed error messages leak stack traces, database schemas, and internal state. Return generic error messages to clients.
- No request validation: JSON schema validation prevents malformed payloads. Always validate request structure, field types, and size limits.
- CORS Misconfiguration: Overly permissive CORS headers allow cross-origin attacks. Restrict CORS to specific trusted origins.
Practice Questions
- What authentication methods does AWS API Gateway support?
- How does Azure API Management enforce Rate Limiting at the API level?
- What security policies does GCP Apigee provide for API protection?
- Why should API request bodies be validated against a schema?
- How does Rate Limiting protect against API abuse?
Challenge
Create a secure API for a payment processing service. Use AWS API Gateway with Cognito user pool authentication, 50 requests per second Rate Limiting per client, JSON schema validation on the request body, and request size limiting to 1 MB. Deploy the API and test with a valid token (getting rate limited) and an invalid token (getting 401). Write the equivalent configuration for Azure API Management.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro