Certificate Pinning on AWS Lambda
Can handler functions in AWS lambda, invoked by API Gateway, reach down into the connection layer of the request at all to access what certificate was used to establish the SSL/TLS connection on the client side? I'd like to implement a certificate pinning strategy for the API I'm building as I've found a dozen ways in which SSL without pinning can be bypassed and the data in my API is not social media posts.
Any Alternatives if not possible?
If Lambda functions don't have access to the connection layer is there a comparable way of further enforcing security and not simply saying "SSL is enough"
Last Resort
If Lambda doesn't give me access to the certificate info of the client connections I'll have to resort to asymmetric encryption.
An AWS Lambda function doesn't have a direct connection with an HTTP request, it can be invoked by a lot of things, e.g. an SNS subscription, or a simple SDK invocation. Or, and that's I guess what you're aiming at, you can invoke a Lambda function via the AWS API Gateway.
So if you want any HTTP or TLS details in your Lambda function, you need to make sure that the API Gateway is somehow injecting that data into the payload that's going to the Lambda function. I'm not sure if that's possible, a deep dive into some API Gateway documentation will probably help you further.
Related
I have a React app which calls API gateway, which in turn triggers my Lambda functions. Now for saving cost purpose due to the potentially let’s say, tens of millions of requests to the API gateway, I did some research and are looking at to potentially use ALB to invoke my Lambdas rather than API GW. My API GW is simply a Lambda-Proxy integration.
My question is with API GW I can add API keys and custom authorizers etc, but for ALB, how do I add a bit of authentication at the ALB layer, say only allow the invocation of my Lambda functions only from the client that I trust? Note my client is a static React app with no server behind it! I don’t need anything too fancy but just want to reject requests other than my trusted request origins. Inside Lambda to cover browser I will just add CORS to response header. But at ALB level, how do I achieve what I required?
Looking forward to getting some shed of lights here!
Thanks
Is it an option using AWS Cognito or CloudFront? We did that with an Enterprise application which uses OIDC (OAuth 2.0). It does implement just Authentication for now.
Give a look in these links:
https://aws.amazon.com/de/blogs/aws/built-in-authentication-in-alb/
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
Is it possible to make some kind of HTTP request that will trigger Lambda and allow it to build a response for the request?
Is it possible for Lambda to access CloudFront cache directly or somehow get the data it needs. I guess it can be done making HTTP requests to CloudFront, but maybe there is more direct way to do that, no?
Or all this stuff I'm asking here is a peace of **** and I better go and buy a new server or optimize my code (actually, i would like to, but manager wants CloudFront + Lambda, so I'm trying to figure out if that is possible, but the docs don't give me an answer. Am I blind maybe?)
You can expose your lambda function via an API gateway. Then your lambda function can just run code that will access other services/resources (CloundFront, SNS, SQS, etc). Use the AWS SDK to access these services.
See Amazon API Gateway documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
I am looking for ways to avoid creating an ec2 instance in order to have a valid callback URL to perform the oauth handshake.
I plan to use Lambda to connect to a remote API, but I need to be able to get the token first, which is valid only for 6 hours.
Is there any way I can make the handshake via Lambda functions?
I think Lambda along with API Gateway offer a good solution. API Gateway allows you to create a persistent, publicly accessible HTTP endpoint. You can define specific 'resources' that map HTTP methods to lambda function calls.
I'm not especially familiar with OAuth 2, but I'm imagining something like this: In API Gateway, define a resource '/callback' with a GET method that invokes your Lambda function.
Register the API Gateway endpoint as your application's callback URI, which would look something like this:
https://c1bql2cdxy.execute-api.us-east-1.amazonaws.com/callback
By doing so, the remote service will invoke your lambda function, which can then read the authorization token from the request and use it however needed, whether that involves 1) storing the token in a database for future use (and reuse) by other services, 2) directly invoking the services within the same Lambda function, etc.
I created an API with AWS API Gateway. This API provides a method that calls an AWS Lambda function. When I call this API method manually using a REST client, it works properly, and the Lambda function is called.
I also have a device that periodically pushes some data to a server via HTTP(S). When configured to push data to a HTTPS server running on an EC2 instance, it works properly. But when I configure the device to push data to API Gateway, the Lambda function is never called.
I tried sniffing the traffic via WireShark, and I can see that requests are indeed sent by the device and that the API responds, but I can't view the contents of the requests and responses since they are encrypted. My guess is that API Gateway returns somme kind of error that prevents the Lambda to be called. Unfortunately, the device does not provide any logs. Is there any way on AWS side to see what is going on?
Enable CloudWatch Logs for API Gateway: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/
This is bit tricky situation I got into here,
I set up a lambda function & API gateway, then I setup cloudfront over API gateway for faster processing and achieving benefit of all the endpoint nodes provided by AWS [It should take more time using cloudfront on top of API gateway service but I am getting better result with cloudfront layer on top of it, maybe DNS resolution and AWS internal infrastructure is better]
I setup a JAVA function inside lambda which is working perfectly fine, but I want to use Context of request maker in lambda function
public String handleRequest(UserPOJO input, Context context) {
}
If I make direct lambda function request I can achieve that but it's taking too much time executing direct lambda from my Android client, also I don't find it good to expose those details, and with cloudfront I am not sure what headers should I send so that lambda detects it's cognito role and ID using context.getIdentity().getIdentityId(); in lambda.
If someone understands my problem here and elaborate it better for other I will be glad, it is very complex to explain the problem.
Technically
I can make execution of lambda function directly with cognito credential provider authentication but Very slow
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
Thanks. :)
If you want to get Cognito related information in Lambda function and you are proxying your request from API Gateway, You can use the mapping template to include information you need, then you can get it from the input object.
I can make execution of lambda function directly with cognito credential provider authentication but Very slow.
I recommend you to build your Lambda function in python or javascript runtime.
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
API Gateway cannot improve the performance of your Lambda function, but API Gateway can provide API management feature for your Lambda function.
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
CloudFront doesn't have do anything with your Cognito credential. It just passes everything it gets to API Gateway.
I am not sure how adding a CloudFront distribution in front of API Gateway can make the latency better except you enable the edge side cache which is not calling your Lambda function every time.