I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.
Asked
Active
Viewed 1,741 times
6
-
2You cannot secure client-side code, unless one considers obfuscation a security measure. Any basic contact form is vulnerable to being spammed, I guess. – Jun 26 '17 at 14:06
-
5@ChrisG `aws-lambda` is a server side technology – LifeQuery Jun 26 '17 at 14:45
1 Answers
10
You need to set an authorizer for your API Gateway. This tutorial is a great start point.
In summary, you need to:
- Create a Cognito User Pool
- Create a Cognito Identity Pool that uses this User Pool
- Make the client to log in and retrieve Cognito credentials
- Make the client to send authorization headers for all requests
- Set an authorizer in your Lamba function
Your serverless.yml will look like this with the authorizer configuration:
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: post
authorizer:
arn: YOUR_USER_POOL_ARN
You don't need to be restricted to a Cognito authorizer. You can use configure an authorizer for Google+, Facebook, etc.
This setting means that the Lamba function will be triggered only by authenticated users and you can identify what is the User ID by inspecting the event object:
event.requestContext.authorizer.claims.sub
Zanon
- 29,231
- 20
- 113
- 126