This article explains how to protect APIs by building a perimeter security layer using CloudFront, AWS WAF, and Shield in front of API Gateway endpoints.

• CloudFront, AWS WAF, and Shield provide layered edge-based DDoS and application protection
• Lambda@Edge signs requests with AWS Signature Version 4 before forwarding to API Gateway
• API Gateway IAM authorization validates signatures and restricts access to CloudFront only
• AWS WAF managed rules protect against common vulnerabilities, bots, and application layer attacks
• Rate-based rules block IPs exceeding defined thresholds to prevent request floods
• Shield Advanced provides enhanced DDoS detection, mitigation, and automatic rule generation
• Solution supports REST, HTTP, and WebSocket API endpoints
• Temporary credentials via AWS STS eliminate long-term secret management overhead

This approach provides DDoS-resilient API protection by combining edge acceleration, WAF filtering, and cryptographic request signing to prevent unauthorized direct access to API Gateway.