Reputation: 8172
How to secure an AWS Lambda function?
I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.
Upvotes: 6
Views: 2046
Answers (1)
Reputation: 30770
You need to set an authorizer for your API Gateway. This tutorial is a great start point.
In summary, you need to:
- Create a Cognito User Pool
- Create a Cognito Identity Pool that uses this User Pool
- Make the client to log in and retrieve Cognito credentials
- Make the client to send authorization headers for all requests
- Set an authorizer in your Lamba function
Your serverless.yml will look like this with the authorizer configuration:
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: post
authorizer:
arn: YOUR_USER_POOL_ARN
You don't need to be restricted to a Cognito authorizer. You can use configure an authorizer for Google+, Facebook, etc.
This setting means that the Lamba function will be triggered only by authenticated users and you can identify what is the User ID by inspecting the event object:
event.requestContext.authorizer.claims.sub
Upvotes: 12
Related Questions
- How do I limit access to my Netlify Serverless function
- Protecting lambda function urls from abuse attacks?
- What is the simplest way to secure my lambda's functionURL?
- How to restrict access to a lambda
- How to secure a publicly available lambda function?
- How to secure an endpoint that is accessed by unauthenticated users in a serverless application
- Severless Function using Lambda AWS
- Can we use plugins like Helmet.js and body-parser to secure a serverless function? If not, any alternatives?
- Secure AWS API Gateway with Lambda Integration
- AWS Lambda for unsafe user scripts with node.js?