You are building a public REST API that invokes a Go‑based Lambda function via API Gateway (REST API).
The API must meet the following security requirements:
- Only authenticated clients with a JWT issued by a custom OAuth2 provider can call the endpoint.
- The Lambda function should have least‑privilege access: it must read from a specific DynamoDB table and write logs to CloudWatch, but nothing else.
- The API should enforce per‑method throttling (e.g., 100 RPS for GET, 20 RPS for POST) and protect against injection attacks.
Describe the complete configuration you would apply—including API Gateway authorizer, IAM roles/policies, and any additional AWS services—to satisfy these requirements. Highlight any trade‑offs or operational considerations.
1. JWT Authorizer (Custom Lambda Authorizer)
| Step | Action |
|---|---|
Create a Lambda authorizer (Go or Python) that receives the Authorization header, validates the JWT signature against the OAuth2 provider’s JWKS endpoint, checks exp, aud, and required scopes. |
|
Return an IAM policy from the authorizer that allows execute-api:Invoke on the specific API method ARN (e.g., arn:aws:execute-api:region:account-id:api-id/stage/GET/resource). |
|
|
Configure API Gateway: • In the REST API, set Authorizer → Lambda → point to the authorizer function. • Enable Caching (TTL ≈ 300 s) to reduce authorizer invocations for repeated tokens. |
Trade‑off: Using a Lambda authorizer adds latency (extra Lambda invocation). If latency is critical, consider Cognito User Pools (if you can federate the OAuth2 provider) or JWT authorizer (HTTP API) which is native and faster.
2. Least‑Privilege IAM Role for the Business Lambda
Execution Role (attached to the business Lambda):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/AllowedTable"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/YourFunction:*"
}
]
}
3. API Gateway Method‑Level Throttling
- Create a Usage Plan (even for a public API you can attach a dummy API key).
- Associate the API stage with the usage plan.
- Set method‑level throttling in the usage plan
4. Protection Against Injection Attacks
| Technique | Implementation |
|---|---|
| Input validation | Validate request payloads in the Lambda using a JSON schema (e.g., gojsonschema). |
| AWS WAF | Attach a WebACL to the API Gateway REST API. Enable managed rule groups like AWSManagedRulesSQLiRuleSet and AWSManagedRulesCommonRuleSet. |
| Content‑type enforcement | Require application/json via API Gateway request validator. |
| Request validation | Define a model in API Gateway and enable Request Validator for required parameters. |
5. End‑to‑End Flow Summary
- Client sends
Authorization: Bearer <JWT>(and optionalx‑api‑key). - API Gateway invokes the Lambda authorizer → validates JWT → returns IAM policy.
- API Gateway checks method throttling (usage plan) and WAF rules.
- If allowed, the request is forwarded to the business Lambda.
- Business Lambda runs with its least‑privilege role, accesses the specific DynamoDB table, writes logs, and returns a response.
Top comments (0)