Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure an AWS Lambda function?

Tags:

javascript

aws-lambda

aws-api-gateway

serverless-framework

serverless-architecture

I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.

like image 715
THpubs Avatar asked Jun 26 '17 14:06

THpubs

People also ask

How do I use IAM in AWS Lambda?

Use fine-grained permissions for IAM execution role. An AWS Lambda function’s execution role grants permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked. It defines what your function can do.

What is the Lambda execution environment in AWS?

When an AWS Lambda function is triggered, a temporary execution environment is created. The Lambda function is then run within the environment. Once a function has completed executing, the execution environment might be kept around, with your /tmp directory, and used again if the Lambda function is triggered again.

Is AWS Lambda secure?

AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs. To learn about the compliance programs that apply to AWS Lambda, see AWS Services in Scope by Compliance Program.

Why is authorization and security important for Lambda?

Authorization and security is a critical feature of every AWS service, including Lambda. But enabling developers to authorize and secure their Lambda functions isn’t enough — Lambda should also be easy to use, quick to set up, and flexible to configure. In this post we talk about how Lambda was designed to achieve both outcomes.

1 Answers

You need to set an authorizer for your API Gateway. This tutorial is a great start point.

In summary, you need to:

  1. Create a Cognito User Pool
  2. Create a Cognito Identity Pool that uses this User Pool
  3. Make the client to log in and retrieve Cognito credentials
  4. Make the client to send authorization headers for all requests
  5. Set an authorizer in your Lamba function

Your serverless.yml will look like this with the authorizer configuration:

functions:
  hello:
    handler: handler.hello
    events:
      - http:
          path: hello
          method: post
          authorizer:
            arn: YOUR_USER_POOL_ARN

You don't need to be restricted to a Cognito authorizer. You can use configure an authorizer for Google+, Facebook, etc.

This setting means that the Lamba function will be triggered only by authenticated users and you can identify what is the User ID by inspecting the event object: 

event.requestContext.authorizer.claims.sub
like image 95
Zanon Avatar answered Oct 16 '22 10:10

Zanon
Sign in to Comment

Related questions

Split array of file paths into hierarchical object in JavaScript
Dynamic function call for service in typescript
Node JS: ReferenceError: require is not defined
How to check multiple elements has same class using jquery?
Php script is automatically being invoked multipletimes
change theme of highscharts (highstock) chart
How to fix "Conflict: Multiple assets emit to the same filename" error in Webpack?
jasmine: Is this the only difference between returnValue and callFake?
Angular 2: how do I get route parameters from CanLoad implementation?
Promise.then is not a function - handling multiple API calls in React
What is a TrackStartError?
Facebook Javascript SDK security issue?
12 AM is considered as next day
Is it possible to pass a callback to a webworker?
Angular JS: URL parameter appears before the `#!/` and doesn't appear in $location.search()
Google Maps - SVG marker cut off
Destructuring nested objects as function parameters
Searching for words in string
How do I set a timezone in Selenium Chromedriver?
How to configure eslint indent for WebStorm?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!