(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Stefano Buliani, Product Manager

October 2015

Building Secure and Scalable APIs

Using Amazon API Gateway and AWS Lambda

What to Expect from the Session

1. A new, fully-managed development model

2. Declare an API with Amazon API Gateway

3. Application logic in AWS Lambda

4. Register and login API with Amazon Cognito

5. Authorization with AWS IAM

6. Generate and connect the Client SDK

Managed

A new, fully managed model

InternetMobile appsAWS Lambda

functions

AWS

API Gateway

cache

Endpoints on

Amazon EC2

Any other publicly

accessible endpoint

Amazon

CloudWatch

Amazon

CloudFrontAPI

Gateway

API GatewayOther AWS

services

AWS Lambda

functions

Key takeaways

AWS Lambda + Amazon API Gateway means no

infrastructure to manage – we scale for you

Security is important, and complex – make the most of

AWS Identity and Access Management

Swagger import and client SDK – we can automate

most workflows

The services we are going to use

Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB

Host the API and

route API callsExecute our app’s

business logicGenerate temporary

AWS credentialsData store

The pet store architecture

Unauthenticated

API call flows

Mobile apps AWS Lambda lambdaHandler

Register

LoginAPI Gateway

Authenticated

Mobile apps AWS Lambda lambdaHandler

ListPets

GetPet

API Gateway

Assume Role

CreatePet

Sigv4 Invoke with

caller credentials

Authorized by IAM

What’s new?

The application can use lots of servers, and I don’t

need to manage a single one.

Authorization of API calls is delegated to AWS. We just

need to focus on our IAM roles.

Deployment of the API is automated using Swagger.

API definition and Swagger

Amazon API Gateway overview

Manage deployments to

multiple versions and

environments

Define and host APIs

Leverage Identity and

Access Management to

authorize access to your

cloud resources

Leverage AWS Auth

DDoS protection and

request throttling to

safeguard your back end

Manage network traffic

Method and integration

Resources and methods

• POST – Registers a new user in our DynamoDB table/users

• POST – Receives a user name and password and authenticates a user

/login

• POST – Creates a new pet in the database

• GET – Retrieves a list of pets from the database

/pets

• GET – Retrieves a pet by its ID/pets/{petId}

Unauthenticated

Authenticated

Method Response

Integration Request

Method Request

Method

Automating the workflow with Swagger

/users:post:summary: Registers a new userconsumes:- application/json

produces:- application/json

parameters:- name: NewUser

in: bodyschema:$ref: '#/definitions/User’

x-amazon-apigateway-integration:type: awsuri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31...

credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke...

responses:200:

schema:$ref: '#/definitions/RegisterUserResponse'

Benefits of using Swagger

• API definitions live in our source repository with the

rest of the app.

• They can be used with other utilities in the Swagger

toolset (for example, documentation generation).

• API can be imported and deployed in our build

script.

Request routing and exceptions

High performance at any scale;

Cost-effective and efficient

No Infrastructure to manage

Pay only for what you use: Lambda

automatically matches capacity to

your request rate. Purchase

compute in 100ms increments.

Bring Your Own Code

Lambda functions: Stateless, trigger-based code execution

Run code in a choice of standard

languages. Use threads, processes,

files, and shell scripts normally.

Focus on business logic, not

infrastructure. You upload code; AWS

Lambda handles everything else.

AWS Lambda Overview

The Lambda handler

lambdaHandler

in our Java

source

Register action

Login action

Create Pet action

Get Pet action

Credentials

generation

Pet store

database

Amazon API

Gateway

Integration request

Exception to HTTP status

Register action

Login action

Create Pet action

Get Pet action

BadRequestException

BAD_REQUEST +

Stack Trace

InternalErrorException

INTERNAL_ERROR +

Stack TracelambdaHandler

in our Java

source

Amazon API

Gateway

responses:

"default":

statusCode: "200"

"BAD.*":

statusCode: "400"

"INT.*":

statusCode: "500"

Mapping templates are a powerful tool

Learn more about mapping templates in our docs

http://amzn.to/1L1hSF5

Retrieving AWS credentials

Amazon Cognito overview

Manage authenticated and

guest users across identity

providers

Identity management

Synchronize users’ data

across devices and

platforms via the cloud

Data synchronization

Securely access AWS

services from mobile

devices and platforms

Secure AWS access

The API definition

• POST

• Receives a user name and password

• Encrypts the password and creates the user account in DynamoDB

• Calls Amazon Cognito to generate credentials

• Returns the user + its credentials

/users

• POST

• Receives a user name and password

• Authenticates the user against the DynamoDB database

• Calls Amazon Cognito to generate credentials

• Returns a set of temporary credentials

/login

Retrieving temporary AWS credentials

Call Login API,

no auth required

Client API Gateway Backend

/loginLogin

action

User

accounts

database

Credentials

verified

Get OpenID token

for developer

identity

Receives

credentials to

sign API calls

Identity ID +

token

Get credentials for

identity

Access key +

secret key +

session token

/login

1.

2.

3.

Authorizing API calls

The Pets resources require authorization

• POST

• Receives a Pet model

• Saves it in DynamoDB

• Returns the new Pet ID

• GET

• Returns the list of Pets stored in DynamoDB

/pets

• GET

• Receives a Pet ID from the path

• Uses mapping templates to pass the path parameter to the Lambda function

• Loads the Pet from DynamoDB

• Returns a Pet model

/pets/{petId}

Using the caller credentials

credentials:

arn:aws:iam::*:user/*

Using the console Using Swagger

The IAM role defines access permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"dynamodb:GetItem",

"dynamodb:PutItem",

"dynamodb:Scan",

"lambda:InvokeFunction",

"execute-api:invoke"

],

"Resource": [

"arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets",

"arn:aws:lambda:us-east-1:xxxxx:function:PetStore”,

"arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets"

]

}

]

}

The role allows calls to:

• DynamoDB

• API Gateway

• Lambda

The role can access specific

resources in these services

One step further: Fine-grained access permissions

InternetClient

API

Gateway

AWS Lambda

functions

Amazon

CloudFrontDynamoDB

CognitoId2

…

"Condition": {

"ForAllValues:StringEquals": {

"dynamodb:LeadingKeys": [”${cognito-

identity.amazonaws.com:sub}"],

"dynamodb:Attributes": [

"UserId","GameTitle","Wins","Losses",

"TopScore","TopScoreDateTime”

]

},

"StringEqualsIfExists": {

"dynamodb:Select": "SPECIFIC_ATTRIBUTES”

}

}

…

Executes with

this role

UserID Wins Losses

cognitoId1 3 2

cognitoId2 5 8

cognitoId3 2 3

The credentials and context (Cognito ID) are passed along

Both AWS Lambda & DynamoDB will follow the access policy

Authenticated flow in depth

Mobile apps AWS Lambda lambdaHandlerAPI Gateway

Sigv4Invoke with

caller credentials

Service calls are

authorized using

the IAM role

Learn more about fine-grained access permissions

http://amzn.to/1YkxcjR

DynamoDB

Benefits of using AWS auth & IAM

• Separation of concerns – our authorization strategy is

delegated to a dedicated service

• We have centralized access management to a single

set of policies

• Roles and credentials can be disabled with a single

API call

AWS credentials on the client

1-click SDK generation from the console

The client SDK declares all methods

The AWSCredentialsProvider

We implement the AWSCredentialsProvider interface

The refresh() method is called whenever the SDK needs new credentials

Generated SDK benefits

The generated client SDK knows how to:

• Sign API calls using AWS signature version 4

• Handle-throttled responses with exponential back-off

• Marshal and unmarshal requests and responses to

model objects

What have we learned?

AWS Lambda + Amazon API Gateway mean no

infrastructure to manage – we scale for you

Download the example from the AWSLabs GitHub account

https://github.com/awslabs/api-gateway-secure-pet-store

Security is important, and complex – make the most of AWS

Identity and Access Management

Swagger import and client SDK – we can automate most

workflows

Questions?

Remember to complete

your evaluations!

Thank you!

Download the example from the AWSLabs GitHub Account

https://github.com/awslabs/api-gateway-secure-pet-store

Related Sessions

CMP302 – Amazon EC2 Container Service: Distributed

Applications at ScaleDeepak Singh – 10/8, 2:45 PM – 3:45 PM – Venetian H

CMP301 – AWS Lambda and the Serverless CloudTim Wagner – 10/8, 4:15 PM – 5:15 PM – Venetian H

ARC309 – From Monolithic to Microservices: Evolving

Architecture Patterns in the CloudDerek Chiles – 10/8, 4:15 PM – 5:15 PM – Palazzo N