0

We have a setup like this in AWS -

  • Step functions include few lambda functions that write to S3 buckets
  • S3 bucket is passed as an argument to lambda functions by the user
  • API Gateway is setup to invoke Step Functions and IAM Authorization is enabled

However, currently the step function and lambdas are invoked under the IAM role defined, but we want all lambdas to be executed as the authenticated user. So if the user invoking API does not have access to S3 bucket passed, the lambda should fail. How can this be achieved ?

Improve this question

1 Answer 1

Reset to default
1

One of the responsibilities of Amazon API Gateway is to be a facade for your backend (here Step function and Lambda functions) and to guard it from unauthorized invocation.

I see two options. The first is easy, the second is more proper way to have all constrols.

  1. Don't give your IAM users permissions to call this API if they don't have permissions to access data in S3 bucket. Also, remove permissions to access Step Function and Lambda Functions. Apply the principle of least privilege.
  2. Instead of using IAM Users, use Amazon Cognito to authenticate your users to your application. Attach Cognito as an Authorizer to your API. Your Lambda function can get information about the user via context input parameter. Use DynamoDB to store additional information about the user and add business logic to your Lambda to handle any special behavior.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.