I have a Lambda function exposed as an API via API Gateway. How can I make sure that the Lambda function is called only by the API Gateway and it cannot be called by any other means i.e. bypassing the API gateway. In my scenario the API gateway and the Lambda function are sitting in the default system managed VPC. The Lambda function is configured to internally accesses the resources from some of the private subnets of my VPC.
How do I make sure that the Lambda function cannot be called by bypassing the API gateway. Please help...
Abhijit
You need to only allow API Gateway to Invoke the Lambda. This can be done via IAM permissions. This link has info about configuring IAM for API Gateway to invoke your Lambda. Only allow this permission and nothing else will be able to invoke the Lambda.
http://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-lambda.html
Related
I have an application built around AWS:
a lambda function
an API gateway calling the lambda, must be called with an API key
an S3 bucket as static website, that calls the API gateway
How can I secure the calls to the API gateway so that it cannot be called from anywhere but my S3 bucket ?
Some solutions have already come in my mind like:
proxy : helps hiding the API key, but anyone accessing the proxy can call the API, right ?
IP whitelisting : I can't know the IP range the bucket is using, so I can't do that
Thanks
My goal is to prevent users from accessing my cloud function endpoints by using an API key and API gateway. I have successfully deployed the API gateway; however, the original endpoint of each cloud function still exists and is accessible to the public. I want to have the cloud function endpoints private, while having the api gateway endpoints public, but I am not sure how to achieve this. Any suggestions would be great.
You can't hide your Cloud Functions endpoint. In any configuration it will be publicly viewable.
However, you can restrict who has access. In your case, deploy your Cloud Functions in secured mode (set the param --no-allow-unauthenticated or remove allUsers from the permissions section)
Then, deploy your API Gateway with a custom (backend) service account. Grant this service account the permission to invoke Cloud Functions (role: cloudfunctions.invoker).
When you have achieve this, only the API Gateway identity will be allowed to access to your Cloud Functions. The users will be able to see and to request the Cloud Functions URL, but they will get a 403 or a 401 error.
EDIT 1
After tests, and with Cloud Functions (I haven't have this case with Cloud Run), the Cloud Functions generated target audience is wrong with you use addition path in your backend. Here the conf that I have
/function:
get:
summary: Greet a user
operationId: function
x-google-backend:
address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
responses:
'200':
description: A successful response
schema:
type: string
/function-path:
get:
summary: Greet a user
operationId: function-path
x-google-backend:
address: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go/path
jwt_audience: https://us-central1-gdglyon-cloudrun.cloudfunctions.net/gdg-go
responses:
'200':
description: A successful response
schema:
type: string
The /function uses the root path of the Cloud Functions, no problem to invoke it directly.
The /function-path add /path to the root path of the Cloud Functions. I guess that API Gateway use this same full URL (with the /path at the end) which is a wrong audience for the function.
You can override that with the jwt_audience parameter.
I have deployed an api through Amazon API gatway and I know It is possible to control access of GET/POST methods of resources through IAM user policies. This is mentioned here http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html
For every new client I don't want to create new aws user everytime and assign new policies of access control. I want to create new API keys(Controlled by Amazon API gateway) for every new client and want to restrict resources through that. Is there any way to do so?
Please help.
API keys cannot be used for authorization purposes. API keys only provide a boolean choice whether access to this endpoint is allowed or not (it cannot differentiate per user).
To implement authorization you have to use IAM or CustomAuthorizer functions.
AWS documentation on that topic
API keys are not meant as a security mechanism for controlling access
to an API. To enable secure access control, use IAM permissions,
custom authorizers or a Amazon Cognito User Pool.
Try with cognito with authtenticate role.
I've built an API with Spring Boot and deployed it into an AWS EC2 instance. I want to make this Spring Boot API to be accessible only through AWS API Gateway. I mean no one could bypass AWS API Gateway and call the that API directly. I want to do this in order to be able to apply some policies like throttling and others.
Is possible to make that API to receive calls through AWS API Gateway only?
Your current best option to achieve this is to use the Client-Side SSL feature of API Gateway: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Note that if you front your EC2 instances with an ELB you will need to set them to TCP mode and terminate SSL on your EC2 instances.
In order to log into AWS MFA is required. But if I had a program running on an EC2 instance that invoked AWS services via API calls, would such a program also need to authenticate using MFA or would this not be required because we are already "in?"
MFA is only required when logging into the AWS web console with a username/password. When you make API calls you would use an IAM access key, or even better (since your program is running on EC2) an IAM instance profile, which doesn't require MFA.
API calls can be made to require MFA as well using an IAM policy. However, if you were to deploy such policy, you could also exclude VPC-internal subnets from the MFA requirement so that MFA would only be required when accessing the AWS API endpoints from the outside.
Here's a link to my repository which contains an example enforcement policy (see example-mfa-policies/EnforceMFA.txt): https://github.com/vwal/awscli-mfa