具有Lambda集成的安全AWS API Gateway [英] Secure AWS API Gateway with Lambda Integration

查看:123
本文介绍了具有Lambda集成的安全AWS API Gateway的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用API​​网关创建一个公开可用的API,该API带有lambda函数作为后处理.我已使用自定义安全标头保护了它的安全,该标头使用时间戳实现hmac身份验证,以防止重放攻击. 我知道API网关通过其高可用性来防御DDOS攻击,但是任何无效请求仍将传递给lambda身份验证功能.因此,我猜想攻击者可能会提交无效的未经身份验证的请求,从而导致高昂的成本.造成损坏将需要大量请求,但仍然非常可行.防止这种情况的最佳方法是什么? 谢谢

I am creating a publicly available API using API Gateway which is backed with lambda functions to do some processing. I have secured it with a custom security header that implements hmac authentication with timestamp to protect against replay attacks. I understand that API Gateway protects against DDOS attacks through its high availability, but any invalid requests will still be passed to the lambda authentication function. So, I guess an attacker can submit invalid unauthenticated requests resulting in high costs. It will take a considerable number of requests to cause damage but it is still very doable. What is the best way to protect against that ? Thank you

推荐答案

API网关不会向您收取未经身份验证的请求的费用,但是Lambda会向您收取授权者的调用费用.

API Gateway will not charge you for unauthenticated requests, however you would be charged by Lambda for the invocation on the authorizer.

API网关以授权器上的身份验证表达式"的形式提供了对该问题的半有用的缓解,它只是与传入身份源标头匹配的正则表达式.

API Gateway offers a semi-useful mitigation to this problem in the form of the 'identity validation expression' on the Authorizer, which is just a regex that is matched against the incoming identity source header.

除此之外,您可能只想在Authorizer函数中实现某种否定缓存或自行验证,以最大程度地减少计费毫秒数.

Besides that, you might want to just implement some kind of negative cache or validation yourself in the Authorizer function to minimize the billed milliseconds.

这篇关于具有Lambda集成的安全AWS API Gateway的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆