I have a lambda function which is accessible via the AWS API, I have got a link from the API which if hit will call the Lambda function, how do I restrict the access to this link such that it's not accessible to public?
AWS API Gateway provides a way to restrict access to the resources.
You just need to enable it in API Gateway Console.
Click on the resource method -> Method Request -> Settings -> Authorization
And select AWS_IAM
Then you can access the API with access key and secret key only.
AWS Documentation for your reference.
Screenshots for your reference
Related
I have an API Gateway which is connected to a Lambda Function. And In the Method Request for a particular POST Method, I want some restricted people only to be able to call the Method.
One way I can implement that is by explicitly passing a token in the request body which I can provide to every authenticated user and then checking if a token is present in the method. Also, I saw Authorization : AWS_IAM in the Method Request details.
I am new to AWS and cannot figure out how to call the API with AWS_IAM authorization via an external Application using the URL we get after deploying the API ?
I want some restricted people only to be able to call the Method
One way of doing this is by means of API keys:
API keys are alphanumeric string values that you distribute to application developer customers to grant access to your API.
In your question you wrote about "explicitly passing a token in the request body" but it was not clear if you want to implement such a solution yourself, or use the solution provided by API Gateway (i.e. API keys)
The IAM authentication for API Gateway APIs will require to create IAM group or IAM users for those "restricted people" in your AWS Account. General steps for that are explained here:
Control access for invoking an API
How do I enable IAM authentication for API Gateway APIs?
I suggest to do this using the API Gateway Authorizers and create a Cognito Authorizer as you are already using a token of the Authenticated user you can achieve this by:
Go to your API gateway select Authorizers from the left menu.
Click on create Authorizer.
After clicking create Authorizer you will have the below screen that will give you the ability to add your existing Cognito user pool and add "Authorization" as token source.
After setting up your Authorizer you will be able to use the "idToken" returned by Cognito after an authentication and pass it in your API request as Authorization header(BEARER token).
Click on your Resources in your API Gateway and choose your lambda function and under Method Request you will be able to assign your created authorizer under (Settings -> Authorization).
I have a lambda function exposed via API gateway but when I try to request it using fetch it is saying that I am forbidden to access it. How do I allow my function to call another function via API gateway?
There can be multiple reasons for it.
Check whether your API gateway endpoint is open or not. While specifying trigger for lambda you must have selected one option for security. You can edit this in API gateway Method Execution tab under Authorization Settings, select Authorization : None and API key required: false
You might not have enabled CORS on your api and due to that your api is not available on cross regions.
Your api gateway is not having access to lambda function. You can do that by attaching IAM role to your API gateway API which can trigger your lambda function.
I have created a REST API using lambda and API gateway.
I want to give access for this API to another lambda function which is running in another AWS account.
I was thinking to create IAM based authorisation for this API. But I am not sure if this cross-AWS account based IAM authorisation is feasible?
Any better suggestions?
You can assume a role in the target account and then invoke the lambda directly using the temporary credentials. This method does not require an integration with API gateway.
You can also use IAM Authentication from anywhere if the API is publicly available. You will have to store the designated credentials.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
I would like to secure a public lambda on my website. The users will not be authenticated when they access it. Any ideas how to do this ?
Jim
Amazon Lambda functions are not available to the public without authorization. Invoking Lambda requires AWS credentials. Unauthenticated users cannot directly access Lambda. The exception is if you are using API Gateway in front of your Lambda functions.
Access to AWS Lambda requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an AWS Lambda function or an Amazon S3 bucket.
Authentication and Access Control for AWS Lambda
Control Access in API Gateway
This link would be helpful with screenshots given.
Fix the issue using this link
Ideally issue is that access is give with * in resources or any of the policy statement which is causing this issue.
My application uses Cognito user pools to restrict access so that each user may access their own personal folder read/write in a "private" bucket. In a "public" bucket it is the same, except that everyone has read access to everything and write access only to their own folder. This all works fine when accessed via the JavaScript S3 SDK.
I am now trying to implement access via the API Gateway talking to a Lambda function which accesses S3.
The problem is that it appears that the Cognito Userpool identity is not being used by the Lambda function. If I give the Lambda function role total S3 access then the function is able to access S3 fine and the function works. If however I have the role policies in place to restrict by Cognito Userpool ID as described above, the I get access denied.
It appears to me that the Userpool Cognito Identity is not what the Lambda function is using.
Can anyone suggest the correct configuration for this setup?
thanks
API Gateway and Lambda do not automatically support this use case.
The Lambda function is running with the identity of it's execution role, thus its context won't contain the identity attributes from the Cognito user pool. (The context object in the Lambda function contains the context from Lambda's perspective.)
API Gateway exposes the Cognito user pool identity information via $context.authorizer.claims variable within API Gateway. To access this information from within your Lambda function, you must modify your body mapping template in API Gateway to pass the desired data from $context.authorizer.claims to your Lambda function via the request body. You're Lambda function then reads this information from the request body like any other field.
In this scenario there is no mechanism to automatically restrict permissions to S3 buckets/object on a per Cognito-user basis. You could implement logic within your Lambda function to enforce it using custom code.