Lambda authorizers

Using a Lambda authorizer is another option to secure access to your APIs. You can use this mechanism if you want to implement something custom that is not covered by API Gateway or Cognito features. You might have extra fact checking and injection to perform or you might need to further validate the origin of a request. By using a Lambda authorizer, you can also separate your authorization logic from the business logic inside a Lambda function, and then go on to reuse that authorization logic for other APIs. This keeps your code base nice and clean and allows you to separate responsibilities if the authorization logic were to be maintained by another team, for example, a SecOps team.

Lambda authorizers are invoked before the integrated backend Lambda function to facilitate checking before your code runs. They are natively invoked by API Gateway and return a policy document describing the permissions that the client has or doesn't have. Basically, you need to assemble and return this yourself. It's the same policy document as IAM uses with allow and deny statements. Additionally, you can include some extra context to pass to your backend integration. Note here that the format of the values is all strings and not JSON objects.

Let's take a look:

{
    "principalId": "${user-identity}",
    "policyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "execute-api:Invoke",
                "Resource": "arn:aws:execute-api:${region}:${account-id}:${api-id}/${stage}/${METHOD_HTTP_VERB}/${resource-path}"
            }
        ]
    },
    "context": {
        "string": "value",
        "number": "1",
        "boolean": "true"
    }
}

When API Gateway receives the policy document, it is cached for up to an hour. This is so API Gateway doesn't have to check every time a new request is received from the same client, which improves the latency of the request. Let's have a look at that authorization flow:

The authorization flow for a custom Lambda authorizer

Great, so we learned some extra functionality for when we need a more flexible authorization implementation. Now, let's have a look at how we secure the endpoint itself at the transport layer. For that, we need to use certificates to secure the endpoint, and there's more about that in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.181.47