Securing Lambda function URLs using Amazon Cognito, Amazon CloudFront and AWS WAF

Click for: original source

Lambda function URLs is a dedicated HTTPs endpoint for a AWS Lambda function. You can configure a function URL to have two methods of authentication: IAM and NONE. IAM authentication means that you are restricting access to the function URL (and in-turn access to invoke the Lambda function) to certain AWS principals (such as roles or users). Authentication type of NONE means that the Lambda function URL has no authentication and is open for anyone to invoke the function. By Marcia Villalba.

Lambda function URLs provides a simpler way to invoke your function using HTTP calls. However, it is not a replacement for Amazon API Gateway, which provides advanced features like request validation and rate throttling. Proposed solution is described:

  • A Lambda function with function URLs enabled
  • Amazon Cognito User Pool
  • CloudFront distribution using AWS WAF
  • Public website that invokes the Lambda function

In this blog, you create a Lambda function with function URLs enabled with NONE as the authentication type. You then implemented a custom authentication mechanism as part of your Lambda function code. You also increased the security of your Lambda function URL by setting it as Origin for the CloudFront distribution and using AWS WAF Geo and IP limiting rules for protection against common web threats, like DDoS. GitHub repository with JavaScript CDK is also included. Nice one!

[Read More]

Tags infosec microservices devops serverless