-1

If consumers of my API have their software on AWS, their ip address is subject to change if they are scaling their services horizontally (adding more machines).

This means that I can't whitelist a single ip address to ensure only the trusted consumer is able to access my API as it will be constantly changing if I understand AWS correctly.

How can this be managed?

Umair
  • 175
  • 1
  • 4
  • 2
    Sorry, this is offtopic because you're asking advice for a very specific problem with a very specific tool (AWS). You'll probably find an answer on Stackoverflow or Superuser. – marstato Jan 13 '20 at 12:13
  • 3
    implement authorisation – Ewan Jan 13 '20 at 13:33
  • @Ewan while i totally agree that proper authorisation trumps IP whitelisting in all aspects, OP might well be subject to a nonfunctional requirement to implement IP whitelisting. Some regulations or policies of large corporations call for it. – marstato Jan 13 '20 at 15:47
  • @marstato sure, but in this case the IP can change, so you manage by authorisation – Ewan Jan 13 '20 at 15:50
  • A non-functional requirement doesn't care what your underlying platform supports or doesn't. If such a non-functional requirement is in place, the relevant legal and/or security department will just tell you "well, bad luck for you then, don't use AWS if it doesn't meet the requirements". And they'd be right. – marstato Jan 14 '20 at 08:44

1 Answers1

0

As @Ewan already noted, IP whitelisting is pretty much the wrong tool for the job, proper authentication is the correct solution.

In specific cases where it's only one IP address that can change occasionally, pointing a domain name at it may help. Your service will need to map names to IP addresses to check on access, and keep some slack since DNS updates are not instantaneous, and it doesn't scale well to multiple client machines.

So just use authentication and be done with it.

Hans-Martin Mosner
  • 14,638
  • 1
  • 27
  • 35