I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.
I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.
Share Improve this question edited Jun 26, 2017 at 15:44 Zanon 30.8k21 gold badges118 silver badges126 bronze badges asked Jun 26, 2017 at 14:04 THpubsTHpubs 8,17217 gold badges73 silver badges156 bronze badges 2- 2 You cannot secure client-side code, unless one considers obfuscation a security measure. Any basic contact form is vulnerable to being spammed, I guess. – user5734311 Commented Jun 26, 2017 at 14:06
-
5
@ChrisG
aws-lambdais a server side technology – LifeQuery Commented Jun 26, 2017 at 14:45
1 Answer
Reset to default 12You need to set an authorizer for your API Gateway. This tutorial is a great start point.
In summary, you need to:
- Create a Cognito User Pool
- Create a Cognito Identity Pool that uses this User Pool
- Make the client to log in and retrieve Cognito credentials
- Make the client to send authorization headers for all requests
- Set an authorizer in your Lamba function
Your serverless.yml will look like this with the authorizer configuration:
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: post
authorizer:
arn: YOUR_USER_POOL_ARN
You don't need to be restricted to a Cognito authorizer. You can use configure an authorizer for Google+, Facebook, etc.
This setting means that the Lamba function will be triggered only by authenticated users and you can identify what is the User ID by inspecting the event object:
event.requestContext.authorizer.claims.sub