1

I have a front-end app, the app will be using lambda services, the endpoints have cors enabled like this:

// serverless.yml

functions:
  test:
  handler: functions/test.handler
  events:
  - http:
      path: /test
      method: get
      cors: true

The test function's handler has headers like this:

// ./functions/test.js
headers: {
        'Access-Control-Allow-Origin': 'https://example.com',
    },

When I build/deploy the serverless project, I can put the generated URL in a browser and see the response. The ACAO header does exist and I haven't tried using it from a site, might be blocked there but CORS isn't enough -- it'd be just browser-based, the lambda response will still be visible if requested in other ways.

What I want to do is restrict access to those (production) lambda functions, unless the request is coming from my app, which is (static) hosted in an s3 bucket, bucket's linked to cloudfront, cloudfront's linked to a domain (using route 53 for the domain.

My app won't have users, I just don't want the data that is served there to be accessible from 3rd party services. I thought about building a function that I import inside each function and it would check the IP if state is prod, I'm not sure if it's a good practice though.

What else can I do to protect those lambdas? Solution doesn't have to be in the lambda, maybe there's something in cloudfront I could use, currently there isn't a subdomain api.example.com that will be pointing to the lambdas.

Improve this question

2 Answers 2

Reset to default
1

Found a solution I like actually, not sure how I didn't think of that before.

In serverless.yml, the resource policy looks like this:

provider:
  name: aws
  runtime: nodejs8.10
  memorySize: 128
  stage: dev
  resourcePolicy:
    - Effect: Allow
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/*/*
      Condition:
        IpAddress:
          aws:SourceIp:
            - 'your ip here'

When you deploy it, the policy is set in API Gateway -> Your service -> Resource Policy. I'm sure you could add multiple ones if certain lambdas/endpoints should allow different/full access and this way I could also have different IPs based on deployment stage.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Please note that the resource policy currently only works for the REST API Gateways. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html

HTTP APIs do not support resource policies.

Improve this answer

2 Comments

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
Yes, I will do it once possible.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.