I have a simple control panel hosted on AWS s3 as a static website. It simply has buttons that make AJAX POST requests to an API Gateway / Lambda endpoint and then displays the response. This Lambda function has authorization to launch new EC2 instances, terminate some instances, and run scripts on existing instances through SSM, so it's important that this control panel is password protected in some way.
Note that no sensitive data is actually transmitted so I don't think that using TLS is strictly required (and I'm not even sure how you'd do that on s3?). But the API requests made need to have some sort of authorization token.
I'm not really sure what to do here -- solutions like JWT seem quite overkill. I just want a single, static password that I can give to my friends so they can access this control panel and make valid requests. No users / registration required.
I think simply protecting the site itself isn't a solution because the API Gateway endpoint is still public (although maybe not -- can I set the API to only accept requests from the s3 site?). There needs to be some token sent with the POST requests that authorizes each individual request and the token needs to change to prevent replay attacks.
Thanks,
