Reputation: 63
Encryption in transit between AWS Resources (Lambda and API Gateway)
I am trying to find out whether or not the transmission between API Gateway and lambda is encrypted with something like TLS. I read through the AWS security whitepapers but I didn't see any indication that it is. If it isn't, how do you go about securely transmitting information between gateway and lambda.
Thanks in advance.
Upvotes: 5
Views: 6627
Answers (2)
Reputation: 34704
I believe the answer is yes.
According to KaHou@AWS API Gateway invokes Lambda functions using Lambda Invoke API.
When you configure your Lambda to be able to access your VPC, Lambda function is still able to be access from the public networking via Lambda invoke API. That is not related to how API Gateway invokes Lambda. Currently, API Gateway is not able to access your private resources inside a VPC.
Lambda API is only supported on HTTPS according to AWS Regions and Endpoints documentation.
Since API Gateway uses Lambda API and Lambda API is only supported on HTTPS, it makes sense to assume communication between API Gateway and Lambda is encrypted.
Upvotes: 3
Reputation: 2269
The short answer is yes.
AWS API Gateway provides a number of methods to integrate with Lambda. If you use the Lambda Proxy integration (also known as AWS_PROXY), all requests are proxied "as is" to the endpoint (Lambda):
With the Lambda proxy integration, when a client submits an API request, API Gateway passes to the integrated Lambda function the raw request as-is. This request data includes the request headers, query string parameters, URL path variables, payload, and API configuration data.
This means that, if the client performed a HTTPS request, then the payload will be TLS encrypted through to Lambda. And by default, all APIs created by API Gateway are exposed as HTTPS endpoints only accroding to the FAQs:
All of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate
If you want a further layer of security, you can investigate CloudFront field level encryption. This allows you to encrypt sensitive data client-side while managing your own encryption keys. This will ensure that the sensitive data remains encrypted end to end. Implementation details can be found here
Upvotes: 0
Related Questions
- how to make AWS api gateway accept http instead of https
- AWS API Gateway proxy with AWS Lambda as middle ware
- AWS secure REST API with mutual authentication
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH from AWS API Gateway into Lambda
- Securing access to AWS Lambda through API Gateway
- Secure AWS API Gateway with Lambda Integration
- Authorize AWS API Gateway by a Lambda
- AWS API Gateway and AWS Lambda - handling client certificate
- AWS API Gateway security
- AWS Api Gateway - Lambda Function Client Certificate