Prevent AWS Lambda flooding

Question

I'm considering about moving my service from a VPS to AWS Lambda + DynamoDB to use it as a FaaS, because it's basically 2 API GET calls that fetch info from the database and serve it, and the normal use of those API calls are really rare (about 50 times a week)

But it makes me wonder... As I can't setup a limit on how many calls I want to serve each month, some attacker could theoretically flood my service by calling it a couple thousands times a day and make my AWS bill extremely expensive. Setting up a limit per month wouldn't be a nice idea either, because the attacker could flood the first day and I won't have more requests to serve. The ideal thing would be to set up a limit on request rate per client.

Anyone knows how could I protect it? I've seen that AWS also offers a Firewall, but that's for CloudFront. Isn't there any way to make it work with Lambda directly?

Answer 1

Two options spring to mind:

1. place API Gateway in front of Lambda so that API requests have to be authenticated. API Gateway also has built-in throttles and other useful features.

2. invoke the Lambda directly, which will require the client invoking the Lambda to have the relevant IAM credentials.

Answer 2

You can put AWS CloudFront in front API Gateway and Lambda so that, the traffic will be served to outside through CloudFront.

In addition by configuring AWS WAF with rate base blocking, it is possible to block high frequencies of access by attackers.

However when configuring AWS CloudFront in front of API Gateway and Lambda, you also need to restrict direct access to API Gateway (Since API Gateway will be publicly accessible by default). This can be achieved in following ways.

• Enable API Keys for API Gateway and use the API Key in AWS CloudFront Headers in the Origin.
• Use a Token Header and Verify it using a Custom Authorizer Lambda function.