Description:
In AWS Authorizers is known as a Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API. Authorizers use a Lambda function.
When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.
There are two types of Lambda authorizers:
Token-based: A token-based Lambda authorizer (also called a
TOKEN
authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.Request parameter-based: A request parameter-based Lambda authorizer (also called a
REQUEST
authorizer) receives the caller’s identity as a combination of headers, query string parameters, state variables, and $context variables.
Note: For WebSocket APIs, only request parameter-based authorizers are supported.
Rationale:
It is recommended that the API Gateway endpoint should not be publicly accessible to other services resources in AWS. Public API Gateway endpoint means that unauthorized actors could access your data which can lead to misuse of the data.
As an API authorizer function, you can also use the AWS Lambda function from a different AWS account. Each account can be in any region where Amazon API Gateway is available.
Impact:
Due to this policy API Gateway controls access to your API.
It helps for every unique client can be cached to avoid multiple requests.
Its logic will be independent of the rest of the codebase. This layer is used for the incoming request to validate.
Default Value:
By default in API Gateway, no Authorizer created or configure.
Pre-Requisite:
Before configuring a Lambda authorizer, you must first create the Lambda function that implements the logic to authorize and if necessary authenticate the caller.
The Lambda console provides a Python blueprint, which you can use by choosing Use a blueprint and choosing the API-gateway-authorizer-python
blueprint.
Remediation:
Test Plan:
- Sign in AWS Management Console
- Go to API Gateway dashboard at console.aws.amazon.com/apigateway
- Click on API Name to audit
- Click on Resources
- Click on Method here in our API Method is “Get”
- In the Method Execution under the Method Request it contains Auth (Authorization)
If it is set to none it means it is not enabled or not configured Lambda authorizersTo check Lambda Authorizers configure or not
Click on Authorizers below the stage in the left navigation pane
In the Authorizers dashboard if no authorizer is found it means you do not configure or create an authorizer
Using AWS CLI:
To get the list of authorizers for a REST API
aws apigateway get-authorizers --rest-api-id <rest_api_id>
Remediation:
Implementation Steps:
- Log in to AWS Management Console
- Go to Lambda service at https://console.aws.amazon.com/lambda/
- Click on Functions in the left navigation pane
- Click on create a function to create a lambda function
- Fill in the Basic information and select the Runtime as per your requirement here we select Python 3.7
- Click on Create function button
- After creating the function configure the code, go to the code source and configure the code as per your requirement below given example is the source code to configure the lambda function
def lambda_handler(event, context):
#1 - Log the event
print('********** The event is: **********')
print(event)
#2 - See if the person's token is valid
auth = 'Deny'
if event['authorizationToken'] == 'abc123':
auth = 'Allow'
else:
autho = 'Deny'
#3 - Construct and return the response
authResponse = { "principalId": "abc123", "policyDocument": { "Version": "2012-10-17", "Statement": [{"Action": "execute-api:Invoke", "Resource": ["arn:aws:execute-api:<region>:<youraccountnumber>:ksixrqez26/*/*"], "Effect": auth}] }}
return authResponse After the configuration, you click on the deploy button
After the configuration of the Lambda function in the source code go to the API Gateway dashboardNavigate to API Gateway at console.aws.amazon.com/apigateway
Click on the API name you want and click on Authorizers in the left navigation pane
Click on Create New Authorizer button
Give the name of Authorizer and select the lambda function which you create for the authorization and give the name of Token source and by default Authorization, Caching is Enabled here we uncheck it
Click on Create button
In Add Permission to Lambda Function click on Grant & Create button
Now Authorizer has been createdClick on the Test button to test it
Give the right authorization token you get “Effect”: “Allow”
after the test, you confirm that your authorizer is working
Go to resources in the left navigation pane
Click on Get Method in the Resources
In the Method Execution click on Method Request
In the settings Click on the Authorization edit button
Backout Plan:
Step 1: Sign in AWS Management Console
Step 2: Go to API Gateway dashboard at console.aws.amazon.com/apigateway
Step 3: Click on API Name
Step 4: Click on Resources and click on Method
Step 5: In Method Execution click on Method Request
Step 6: Click on the Edit button in Authorization and select None and click on the update button
Step 7: Go to Authorizer and click on the delete authorizer button to remove the authorizer
Using AWS CLI:
To delete a Custom Authorizer in an API
aws apigateway delete-authorizer --rest-api-id <api_id> --authorizer-id <give_authorizer_id>