(dev203) amazon api gateway & aws lambda to build secure apis
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stefano Buliani, Product Manager
October 2015
Building Secure and Scalable APIs
Using Amazon API Gateway and AWS Lambda
What to Expect from the Session
1. A new, fully-managed development model
2. Declare an API with Amazon API Gateway
3. Application logic in AWS Lambda
4. Register and login API with Amazon Cognito
5. Authorization with AWS IAM
6. Generate and connect the Client SDK
Managed
A new, fully managed model
InternetMobile appsAWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpoint
Amazon
CloudWatch
Amazon
CloudFrontAPI
Gateway
API GatewayOther AWS
services
AWS Lambda
functions
Key takeaways
AWS Lambda + Amazon API Gateway means no
infrastructure to manage – we scale for you
Security is important, and complex – make the most of
AWS Identity and Access Management
Swagger import and client SDK – we can automate
most workflows
The services we are going to use
Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB
Host the API and
route API callsExecute our app’s
business logicGenerate temporary
AWS credentialsData store
The pet store architecture
Unauthenticated
API call flows
Mobile apps AWS Lambda lambdaHandler
Register
LoginAPI Gateway
Authenticated
Mobile apps AWS Lambda lambdaHandler
ListPets
GetPet
API Gateway
Assume Role
CreatePet
Sigv4 Invoke with
caller credentials
Authorized by IAM
What’s new?
The application can use lots of servers, and I don’t
need to manage a single one.
Authorization of API calls is delegated to AWS. We just
need to focus on our IAM roles.
Deployment of the API is automated using Swagger.
API definition and Swagger
Amazon API Gateway overview
Manage deployments to
multiple versions and
environments
Define and host APIs
Leverage Identity and
Access Management to
authorize access to your
cloud resources
Leverage AWS Auth
DDoS protection and
request throttling to
safeguard your back end
Manage network traffic
Method and integration
Resources and methods
• POST – Registers a new user in our DynamoDB table/users
• POST – Receives a user name and password and authenticates a user
/login
• POST – Creates a new pet in the database
• GET – Retrieves a list of pets from the database
/pets
• GET – Retrieves a pet by its ID/pets/{petId}
Unauthenticated
Authenticated
Method Response
Integration Request
Method Request
Method
Automating the workflow with Swagger
/users:post:summary: Registers a new userconsumes:- application/json
produces:- application/json
parameters:- name: NewUser
in: bodyschema:$ref: '#/definitions/User’
x-amazon-apigateway-integration:type: awsuri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31...
credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke...
responses:200:
schema:$ref: '#/definitions/RegisterUserResponse'
Benefits of using Swagger
• API definitions live in our source repository with the
rest of the app.
• They can be used with other utilities in the Swagger
toolset (for example, documentation generation).
• API can be imported and deployed in our build
script.
Request routing and exceptions
High performance at any scale;
Cost-effective and efficient
No Infrastructure to manage
Pay only for what you use: Lambda
automatically matches capacity to
your request rate. Purchase
compute in 100ms increments.
Bring Your Own Code
Lambda functions: Stateless, trigger-based code execution
Run code in a choice of standard
languages. Use threads, processes,
files, and shell scripts normally.
Focus on business logic, not
infrastructure. You upload code; AWS
Lambda handles everything else.
AWS Lambda Overview
The Lambda handler
lambdaHandler
in our Java
source
Register action
Login action
Create Pet action
Get Pet action
Credentials
generation
Pet store
database
Amazon API
Gateway
Integration request
Exception to HTTP status
Register action
Login action
Create Pet action
Get Pet action
BadRequestException
BAD_REQUEST +
Stack Trace
InternalErrorException
INTERNAL_ERROR +
Stack TracelambdaHandler
in our Java
source
Amazon API
Gateway
responses:
"default":
statusCode: "200"
"BAD.*":
statusCode: "400"
"INT.*":
statusCode: "500"
Mapping templates are a powerful tool
Learn more about mapping templates in our docs
http://amzn.to/1L1hSF5
Retrieving AWS credentials
Amazon Cognito overview
Manage authenticated and
guest users across identity
providers
Identity management
Synchronize users’ data
across devices and
platforms via the cloud
Data synchronization
Securely access AWS
services from mobile
devices and platforms
Secure AWS access
The API definition
• POST
• Receives a user name and password
• Encrypts the password and creates the user account in DynamoDB
• Calls Amazon Cognito to generate credentials
• Returns the user + its credentials
/users
• POST
• Receives a user name and password
• Authenticates the user against the DynamoDB database
• Calls Amazon Cognito to generate credentials
• Returns a set of temporary credentials
/login
Retrieving temporary AWS credentials
Call Login API,
no auth required
Client API Gateway Backend
/loginLogin
action
User
accounts
database
Credentials
verified
Get OpenID token
for developer
identity
Receives
credentials to
sign API calls
Identity ID +
token
Get credentials for
identity
Access key +
secret key +
session token
/login
1.
2.
3.
Authorizing API calls
The Pets resources require authorization
• POST
• Receives a Pet model
• Saves it in DynamoDB
• Returns the new Pet ID
• GET
• Returns the list of Pets stored in DynamoDB
/pets
• GET
• Receives a Pet ID from the path
• Uses mapping templates to pass the path parameter to the Lambda function
• Loads the Pet from DynamoDB
• Returns a Pet model
/pets/{petId}
Using the caller credentials
credentials:
arn:aws:iam::*:user/*
Using the console Using Swagger
The IAM role defines access permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"lambda:InvokeFunction",
"execute-api:invoke"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets",
"arn:aws:lambda:us-east-1:xxxxx:function:PetStore”,
"arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets"
]
}
]
}
The role allows calls to:
• DynamoDB
• API Gateway
• Lambda
The role can access specific
resources in these services
One step further: Fine-grained access permissions
InternetClient
API
Gateway
AWS Lambda
functions
Amazon
CloudFrontDynamoDB
CognitoId2
…
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [”${cognito-
identity.amazonaws.com:sub}"],
"dynamodb:Attributes": [
"UserId","GameTitle","Wins","Losses",
"TopScore","TopScoreDateTime”
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES”
}
}
…
Executes with
this role
UserID Wins Losses
cognitoId1 3 2
cognitoId2 5 8
cognitoId3 2 3
The credentials and context (Cognito ID) are passed along
Both AWS Lambda & DynamoDB will follow the access policy
Authenticated flow in depth
Mobile apps AWS Lambda lambdaHandlerAPI Gateway
Sigv4Invoke with
caller credentials
Service calls are
authorized using
the IAM role
Learn more about fine-grained access permissions
http://amzn.to/1YkxcjR
DynamoDB
Benefits of using AWS auth & IAM
• Separation of concerns – our authorization strategy is
delegated to a dedicated service
• We have centralized access management to a single
set of policies
• Roles and credentials can be disabled with a single
API call
AWS credentials on the client
1-click SDK generation from the console
The client SDK declares all methods
The AWSCredentialsProvider
We implement the AWSCredentialsProvider interface
The refresh() method is called whenever the SDK needs new credentials
Generated SDK benefits
The generated client SDK knows how to:
• Sign API calls using AWS signature version 4
• Handle-throttled responses with exponential back-off
• Marshal and unmarshal requests and responses to
model objects
What have we learned?
AWS Lambda + Amazon API Gateway mean no
infrastructure to manage – we scale for you
Download the example from the AWSLabs GitHub account
https://github.com/awslabs/api-gateway-secure-pet-store
Security is important, and complex – make the most of AWS
Identity and Access Management
Swagger import and client SDK – we can automate most
workflows
Questions?
Remember to complete
your evaluations!
Thank you!
Download the example from the AWSLabs GitHub Account
https://github.com/awslabs/api-gateway-secure-pet-store
Related Sessions
CMP302 – Amazon EC2 Container Service: Distributed
Applications at ScaleDeepak Singh – 10/8, 2:45 PM – 3:45 PM – Venetian H
CMP301 – AWS Lambda and the Serverless CloudTim Wagner – 10/8, 4:15 PM – 5:15 PM – Venetian H
ARC309 – From Monolithic to Microservices: Evolving
Architecture Patterns in the CloudDerek Chiles – 10/8, 4:15 PM – 5:15 PM – Palazzo N