5

I am trying to find out whether or not the transmission between API Gateway and lambda is encrypted with something like TLS. I read through the AWS security whitepapers but I didn't see any indication that it is. If it isn't, how do you go about securely transmitting information between gateway and lambda.

Thanks in advance.

Zach Probst
  • 63
  • 1
  • 5

2 Answers2

3

I believe the answer is yes.

According to KaHou@AWS API Gateway invokes Lambda functions using Lambda Invoke API.

When you configure your Lambda to be able to access your VPC, Lambda function is still able to be access from the public networking via Lambda invoke API. That is not related to how API Gateway invokes Lambda. Currently, API Gateway is not able to access your private resources inside a VPC.

Lambda API is only supported on HTTPS according to AWS Regions and Endpoints documentation.

Since API Gateway uses Lambda API and Lambda API is only supported on HTTPS, it makes sense to assume communication between API Gateway and Lambda is encrypted.

kichik
  • 33,220
  • 7
  • 94
  • 114
0

The short answer is yes.

AWS API Gateway provides a number of methods to integrate with Lambda. If you use the Lambda Proxy integration (also known as AWS_PROXY), all requests are proxied "as is" to the endpoint (Lambda):

With the Lambda proxy integration, when a client submits an API request, API Gateway passes to the integrated Lambda function the raw request as-is. This request data includes the request headers, query string parameters, URL path variables, payload, and API configuration data.

This means that, if the client performed a HTTPS request, then the payload will be TLS encrypted through to Lambda. And by default, all APIs created by API Gateway are exposed as HTTPS endpoints only accroding to the FAQs:

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate

If you want a further layer of security, you can investigate CloudFront field level encryption. This allows you to encrypt sensitive data client-side while managing your own encryption keys. This will ensure that the sensitive data remains encrypted end to end. Implementation details can be found here

moebius
  • 2,061
  • 11
  • 20
  • Are you saying API Gateway decrypts the data so it can read the URL, decides which Lambda to call based on that, and then sends the original encrypted data to Lambda? I don't think that's the case. From your first link: "With the Lambda proxy integration, API Gateway maps the entire client request to the input event parameter of the backend Lambda function as follows:" -- it modifies the data and enriches it with metadata. – kichik Sep 14 '18 at 02:50
  • TLS does not encrypt HTTP headers which contain the host, so API gateway does not decrypt anything. It simply acts as a HTTPS proxy. – moebius Sep 14 '18 at 03:36
  • TLS encrypts everything (except SNI). It would be quite a huge security vulnerability if HTTP headers were not encrypted. Cookies that can contain authentication information are sent as HTTP headers, for example. – kichik Sep 14 '18 at 03:45
  • My mistake, yes you are correct. Regardless, it does not need to inspect the HTTP headers (and hence decrypt) to know which lambda to redirect the request to. The API gateway method is configured by the user to pass through any requests directly to a specific lambda backend, so any HTTP requests to the API method will be always be forwarded to the lambda as is. – moebius Sep 14 '18 at 04:05
  • How would it know which Lambda to use? Everything is encrypted including the URL and Host header. And even if it wasn't, the extra metadata that API Gateway adds to the input event shows it doesn't send the encrypted data as-is. Another reason why API Gateway needs to be the one terminating the request is that it has to parse the return object from Lambda and convert it to an HTTP response to send to the user. It cannot send an HTTP response without performing TLS handshake first. – kichik Sep 14 '18 at 04:09