Is there any way to hide AWS lambda code? - amazon-web-services

I want to publish my application and provide lambdas to other so that I want that on exporting the lambda package no one can get the lambda code.

You should create an API Gateway which will connect the application to your Lambda code. Give that API endpoint URL to the others and they will call your Lambda function through that. This way they cannot know what's going on in your Lambda code.

Ideal way is to use API gateway and use it as trigger for your Lambda and share that endpoint to the users.
However if you don't want that you should probably consider cross account access with cross account role (give permission to execute just the Lamnda you want to expose & setup trust relationship) . Let them assume this role and call this lambda.

Related

Creating AWS Lambda Triggers Programmatically

I have an AWS Lambda function that takes in and processes logs from CloudWatch Logs that are sent to specific log groups. The thing is, I may need to add more triggers as more log groups are created. The only way I have found to create a trigger for a specific log group is to use the AWS Lambda console and the AWS CloudFront console. Is it possible to create a trigger for an AWS Lambda function programmatically? For instance, in some Java code?
Yes, one of the common ways of triggering server-less functions is using endpoints. I believe you can expose an API endpoint from the Function's console using a an API Gateway, and call this endpoint URL from your java code or whatever programmatic entity you wish.

Authorizing access to specific resources

I'm trying to build a REST API using AWS API Gateway that calls into a bunch of Lambda functions.
I have now set up API Gateway to use a Cognito user pool as the authorizer, but all that's really doing is authenticating the user since I've attached the user pool to all the endpoints. I wasn't able to figure out how to specifically allow certain methods on certain endpoints.
For example, if my user is 123 and belongs to group ABC, I would only like them to be able to GET /users?group=ABC or PATCH /users/123.
Is it possible to achieve this level of control or do I need to implement those checks in the Lambda function that API Gateway calls?
I am developing a similar setup and I faced the exact same issue. My team could not find a solution to this, so we contacted an AWS solutions architect. Here is a summary of their approach to this problem.
Unfortunately there are no default built-in solutions to this specific problem. However you can use some alternative solutions.
It is possible to trigger Lambda functions during Cognito user pool workflows. You may use an extra Lambda function to authorize users by checking their user-group relationships.
Customizing User Pool Workflows with Lambda Triggers
You can use API Gateway Lambda authorizer. In this case you will have to give up the Cognito integration and apply your custom authorization logic inside the authorizer Lambda.
Use API Gateway Lambda authorizers
You can implement the authorization logic inside the lambda functions with an extra query by checking the user-group relationship. You can check the identity of the requesting (Cognito) user through requestContext.authorizer.claims.* in the Lambda event.
Hope this helps.
ofcourse yes u can do it. this will help you.. if u get stuck.. ping me back
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/

AWS - Invoke common task Lambda for each API

We have a requirement to write custom logs for the application to capture the things like who did what and when.
To do that we have created a Lambda to insert the logs in DynamoDb database. We need this Lambda to be called from a common place every time we call an API from frontend of the application instead of invoking it in each and every individual lambdas.
We tried invoking this in the API Gateway Authorizer but it doesn't work because our gateway authorizer is of type 'Token'. So, it does not accept any other parameters than access token. We cannot change the type of custom authorizer to type 'Request' because we need access token to be present for authorizing user in Cognito.
Question:
Is there any place where we can invoke this Logs Lambda so that it executes when each API is called?
Your last paragraph makes no sense but typically the best way to do this is streaming, as this minimises the amount of Lambda invocations you need to make.
You can stream API Access logs which contain things like the path, current time, principal to a cloudwatch log streams, or a lambda.
In this lambda you can do your custom logging logic there. If you have other sources which will have different types of events you may need to use Kinesis directly for streaming.
try using a different event trigger. If your lambda can get triggered by a queue or cloudfront you won't have authorization problems. however your application has to assume a suitable role to use some of these. If you're using Java, you can intercept your request in many ways and make the lambda call via SDK before processing the API. Need more details to provide a holistic solution.

Can I call AWS Lambda directly without Gateway API?

I am developing a simple Lambda function on AWS to get and put data into Dynamo DB. I wanted to call this function from the Windows Client desktop application. My question is, do I really need AWS Gateway API here or can I call the lambda function directly using AWS SDK?
You can use invoke() to directly execute an AWS Lambda function from an AWS SDK. You can also pass it a payload, which will be accessible within the function.
Here is a syntax example in Python:
response = client.invoke(
ClientContext='MyApp',
FunctionName='MyFunction',
InvocationType='Event',
LogType='Tail',
Payload='fileb://file-path/input.json',
Qualifier='1',
)
You need API Gateway if you want to create REST APIs that mobile and web applications can use to call publicly available AWS services (through code running in AWS Lambda).
You can synchronous invoke your Lambda functions. This can be accomplished through a variety of options, including using the CLI or any of the supported SDKs. Note the invocation-type should be RequestResponse aws blog
bash command using aws cli
aws lambda invoke —function-name MyLambdaFunction —invocation-type RequestResponse —payload “JSON string here”
sdk python call. configuration
invoke_resp = LAMBDA_CLIENT.invoke(
FunctionName='function_name',
InvocationType='RequestResponse',
Payload='payload')
If you want to invoke the lambda asynchronous Invocation-type flag should be Event
aws lambda invoke —function-name MyLambdaFunction —invocation-type Event —payload “JSON string here”
I don't have much information from your use case. I have to assume something here.
You don't need to wait for the response back from Lambda
So you can use async call through SNS or SQS and then put your Lambda subscribed for either SNS or SQS. You can research more to choose between SNS and SQS, depends on your use case
If you need to wait for the response back from Lambda
If you want to share the Lambda's feature outside your organization, you can use API Gateway to do so, it means you still keep Lambda inside but expose an API through API Gateway to outside for usage.
If you don't want to share the Lambda's feature outside, like previous answers, you can use invoke command/sdk to achieve the result.
If I have more information from your use case, maybe the answer can be more accurate.

Creating an internal API with Lambda on AWS

I want to build a server-less system using AWS Labmda + API Gateway where I will have some public APIs and some other API for internal usage only (all will be implemented with Lambda functions and Node JS).
My question is specific on how to create those internal APIs which will NOT be exposed to the outside world but only to a handful of lambda functions.
I know all APIs defined in the Gateway are public. How can I manage the caller of the API to be only from my own recognized AWS resources (specifically my Lambda functions) ?
I am aware a possible answer will be to simply call the Lambda function directly and not via the API Gateway. This will of course work but the down side here is that it couples the implementation to AWS while I am trying to get a solution which constructed of Node micro-services calling each other via REST APIs.
Thanks.
As documented here:
To assign custom access permissions to the method, in the
Authorization Settings area, for Authorization Type, choose Edit, and
then choose AWS_IAM. Only IAM roles with the correct IAM policy
attached will be allowed to call this method.
Then you would just need to assign an appropriate IAM role to your Lambda function(s) in order to allow them to call those private API Gateway methods.