AWS Lambda, AWS API Gateway and Securing REST endpoints

Question

I am considering implementing a service as a series of REST endpoints on AWS Lambda and possibly AWS API Gateway. The front end would be a JS browser client that calls these endpoints directly, eliminating the need for a middle tier.

In my research, what I can't seem to find is, how do I secure access to the calls to people who are "logged in" so to speak? I see Lambda calls are stateless, so no session data. I don't need session data, other than to know they are authenticated and in same cases authorized to access a particular endpoint. There will be a database (DynamoDB or RDS) so if I need session data I could create it.

Is there a way to do this? I realize I could pass their username and password with each API call, but it seems there must be a better way.

Also, this would probably be implemented in Java. Could I use Spring Security?

Answer 1

I don't think you want to use Spring Security in a Lambda function. I can't imagine that working very well, and I doubt it would work at all. Even if it could run on Lambda it would definitely add more to your function's cold startup time than you are going to want to deal with.

The recommended way to provide user authentication checking to stateless services is through the use of JWT (JSON Web Tokens). Auth0 provides a good general article about JWT here, as well as a tutorial on using Auth0 with API Gateway and Lambda here. Even if you don't use Auth0 I think the second tutorial is useful for understanding how to perform user authentication on API Gateway and Lambda.

You can also use API Gateway Custom Authorization functions, which allow you to encapsulate all your authentication code in one Lambda function that acts like a "gatekeeper" to your API endpoints. I would recommend using a Custom Authorization Lambda function to validate the JSON web tokens submitted to your API.