Configuring a Custom Domain Name for API Gateway with AWS Certificate Manager and Route 53

SecureCart, an e-commerce platform, is deploying a REST API to support: ✅ Customer orders ✅ Product catalog access ✅ Checkout processing

The SecureCart engineering team wants to ensure that all API communications are secure and user-friendly, using a custom domain and SSL/TLS encryption.

🔹 SecureCart API Security Requirements

• HTTPS enforcement → API traffic must be encrypted using an SSL/TLS certificate.

• Branded API domain → SecureCart wants to use api.securecart.com instead of AWS’s default API Gateway URL.

• Scalability → The solution must support millions of API requests per day with minimal latency.

• DNS Management → The API must be discoverable and accessible through Amazon Route 53.

🔹 Step-by-Step SecureCart Implementation

1️⃣ Request a Public SSL/TLS Certificate in AWS Certificate Manager (ACM)

SecureCart requests a public certificate for api.securecart.com to enable HTTPS.

✅ Steps

1. Navigate to AWS Certificate Manager (ACM).

2. Click Request a Certificate → Request a Public Certificate.

3. Enter Domain Name → api.securecart.com.

4. Choose DNS Validation (Recommended).

5. Click Request and validate by adding the CNAME record in Route 53.

6. Once validated, the certificate status updates to "Issued".

🔹 Why is ACM used?

✔ Free certificate management – No manual renewal required. ✔ Seamless integration – Works natively with API Gateway.

2️⃣ Associate SSL Certificate with API Gateway

SecureCart configures Amazon API Gateway to use api.securecart.com as its custom domain.

✅ Steps

1. Navigate to API Gateway → Custom Domain Names.

2. Click Create → Enter api.securecart.com.

3. Select Endpoint Configuration:

   • Regional (used in this case)

   • Edge-Optimized (for better global performance)

4. Choose ACM Certificate issued for api.securecart.com.

5. Click Create.

🔹 Why configure API Gateway with a custom domain?

✔ Branding & consistency → Uses api.securecart.com instead of xyz.execute-api.amazonaws.com. ✔ Secure API traffic → Ensures TLS-encrypted communication.

3️⃣ Create Route 53 Alias Record for SecureCart API

SecureCart uses Amazon Route 53 to route traffic to the API Gateway domain.

✅ Steps

1. Navigate to Amazon Route 53 → Hosted Zones.

2. Select securecart.com.

3. Click Create Record:

   • Record Name: api.securecart.com

   • Type: A (Alias)

   • Alias Target: Select the API Gateway regional domain name.

4. Click Create Record.

🔹 Why use Route 53 Alias Records?

✔ Eliminates manual IP management – Automatically maps to API Gateway. ✔ Optimized latency – Route 53 efficiently directs users to the nearest endpoint.

🔹 SecureCart Security Enhancements

To further secure API Gateway, SecureCart implements: ✔ AWS WAF (Web Application Firewall) – To prevent SQL injection & DDoS attacks. ✔ IAM Authorization – Restricts API access using IAM roles & policies. ✔ API Gateway Throttling – Protects against abuse & excessive requests. ✔ CloudTrail Logging – Monitors API activity for security auditing.

🚀 Summary

✔ SecureCart configures API Gateway with a custom domain (api.securecart.com). ✔ Uses AWS Certificate Manager (ACM) to enable HTTPS. ✔ Amazon Route 53 routes traffic securely to API Gateway. ✔ Enhances security with AWS WAF, IAM Policies, and API throttling.