Securing Your Patient Data REST Endpoint - Best Practices for Authorized Internal Access

Ensuring Authorized Internal Access to Your Patient Data REST Endpoint

Prev Question Next Question

Question

You are a solutions architect working for a healthcare provider.

Your company uses REST APIs to expose critical patient data to internal front-end systems used by doctors and nurses.

The data for your patient information is stored in Aurora. How can you ensure that your patient data REST endpoint is only accessed by your authorized internal users? (Select TWO)

Answers

A. Run your Aurora DB cluster on an EC2 instance in a private subnet

B. Use a Gateway VPC Endpoint to make your REST endpoint private and only accessible from within your VPC

C. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceVpce condition to the API Gateway resource policy

D. Use an Interface VPC Endpoint to make your REST endpoint private and only accessible from within your VPC and through your VPC endpoint.

E. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceArn condition to the API Gateway resource policy.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: C and D.

Option A is incorrect.

Controlling access to your back-end database running on Aurora will not restrict access to your API Gateway REST endpoint.

Access to your API Gateway REST endpoint must be controlled at the API Gateway and VPC level.

Option B is incorrect.

The Gateway VPC Endpoint is only used for the S3 and DynamoDB services.

Option C is correct.

You can make your REST APIs private by using the aws:SourceVpce condition in your API Gateway resource policy to restrict access to only your VPC Endpoint.

Option D is correct.

Use a VPC Interface Endpoint to restrict access to your REST APIs to traffic that arrives via the VPC Endpoint.

Option E is incorrect.

The aws:SourceArn condition key is not used to restrict access to traffic that arrives via the VPC Endpoint.

References:

Please see the Amazon API Gateway developer guide titled Creating a private API in Amazon API Gateway (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html), the Amazon API Gateway developer guide titled Example: Allow private API traffic based on source VPC or VPC endpoint (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example), the Amazon Aurora user guide titled Amazon Aurora security (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.Security.html), the Amazon Aurora user guide titled Amazon Aurora DB clusters (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.html), the Amazon Aurora user guide titled Aurora DB instance classes (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html), the Amazon API Gateway developer guide titled AWS condition keys that can be used in API Gateway resource policies (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-aws-condition-keys.html), and the Amazon Virtual Private Cloud AWS PrivateLink page titled VPC endpoints (https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html)

As a healthcare provider, it is essential to secure patient data and ensure that only authorized internal users have access to it. Here are two ways you can ensure that your patient data REST endpoint is only accessed by authorized internal users:

Run your Aurora DB cluster on an EC2 instance in a private subnet: You can launch your Aurora DB cluster within a private subnet in your Amazon Virtual Private Cloud (VPC). A private subnet is not accessible from the internet, making it more secure. You can configure your Aurora security group to only allow connections from your internal front-end systems. This way, only authorized internal users can access the patient data REST endpoint.
Use a Gateway VPC Endpoint or Interface VPC Endpoint to make your REST endpoint private: You can use a Gateway VPC Endpoint or Interface VPC Endpoint to make your REST endpoint private and only accessible from within your VPC. A Gateway VPC Endpoint is used for Amazon S3 and DynamoDB, while an Interface VPC Endpoint is used for other AWS services such as Amazon EC2 and Amazon ECR. With both types of VPC endpoints, you can create a policy that allows only authorized internal users to access the REST endpoint.

C. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceVpce condition to the API Gateway resource policy: You can use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceVpce condition to the API Gateway resource policy. This will only allow traffic from your VPC endpoints to access your REST endpoint.

E. Use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceArn condition to the API Gateway resource policy: You can also use IAM resource policies to restrict access to your REST APIs by adding the aws:SourceArn condition to the API Gateway resource policy. This allows only the specified ARN to access your REST endpoint, making it more secure.

In summary, to ensure that your patient data REST endpoint is only accessed by authorized internal users, you can run your Aurora DB cluster in a private subnet, use VPC endpoints to make your REST endpoint private, or use IAM resource policies to restrict access to your REST APIs by adding the appropriate conditions.

Prev Question Next Question