Description:

In AWS Authorizers is known as a Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API. Authorizers use a Lambda function. 

When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.

There are two types of Lambda authorizers:

  1. Token-based: A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.

  2. Request parameter-based: A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity as a combination of headers, query string parameters, stageVariables, and $context variables.

Note: For WebSocket APIs, only request parameter-based authorizers are supported.


Rationale:

It is recommended that the API Gateway endpoint should not be publicly accessible to other services resources in AWS. Public API Gateway endpoint means that unauthorized actors could access your data which can lead to misuse of the data.

As an API authorizer function, you can also use the AWS Lambda function from a different AWS account. Each account can be in any region where Amazon API Gateway is available.


Impact:

Due to this policy API Gateway controls access to your API.

It helps for every unique client can be cached to avoid multiple requests.

Its logic will be independent of the rest of the codebase. This layer is used for the incoming request to validate.


Default Value:

By default in API Gateway, no Authorizer created or configure.


Audit:

  1. Sign in AWS Management Console
  2. Go to API Gateway dashboard at console.aws.amazon.com/apigateway
  3. Click on API Name to audit
  4. Click on Resources
  5. Click on Method here in our API Method is “Get”
  6.  In the Method Execution under the Method Request it contains Auth (Authorization) 

    If it is set to none it means it is not enabled or not configured Lambda authorizers

    To check Lambda Authorizers configure or not 

  7. Click on Authorizers below the stage in the left navigation pane

  8.  In the Authorizers dashboard if no authorizer is found it means you do not configure or create an authorizer



Via CLI:

To get the list of authorizers for a REST API

aws apigateway get-authorizers --rest-api-id <rest_api_id>


Remediation:

Pre-Requisite:

Before configuring a Lambda authorizer, you must first create the Lambda function that implements the logic to authorize and if necessary to authenticate the caller.

The Lambda console provides a Python blueprint, which you can use by choosing Use a blueprint and choosing the api-gateway-authorizer-python blueprint. 


Implementation Steps:

  1. Log in to AWS Management Console
  2. Go to Lambda service at https://console.aws.amazon.com/lambda/
  3. Click on Functions in the left navigation pane
  4. Click on create a function to create a lambda function 
  5.  Fill in the Basic information and select the Runtime as per your requirement here we select Python 3.7
  6. Click on Create function button
  7. After creating the function configure the code, go to the code source and configure the code as per your requirement below given example is the source code to configure the lambda function 
    def lambda_handler(event, context):
        
        #1 - Log the event
        print('********** The event is: **********')
        print(event)
        
            #2 - See if the person's token is valid
        auth = 'Deny'
        if event['authorizationToken'] == 'abc123':
            auth = 'Allow'
        else:
            autho = 'Deny'
            
        #3 - Construct and return the response
        authResponse = { "principalId": "abc123", "policyDocument": {  "Version": "2012-10-17", "Statement": [{"Action": "execute-api:Invoke", "Resource": ["arn:aws:execute-api:<region>:<youraccountnumber>:ksixrqez26/*/*"], "Effect": auth}] }}
        return authResponse


  8. After the configuration, you click on the deploy button


    After the configuration of the Lambda function in the source code go to the API Gateway dashboard



  9. Navigate to API Gateway at console.aws.amazon.com/apigateway

  10. Click on the API name you want and click on Authorizers in the left navigation pane

  11. Click on Create New Authorizer button

  12. Give the name of Authorizer and select the lambda function which you create for the authorization and give the name of Token source and by default Authorization Caching is Enabled here we uncheck it

  13. Click on Create button

  14. In Add Permission to Lambda Function click on Grant & Create button

    Now Authorizer has been created 

    • Click on the Test button to test it 

    • Give the right authorization token you get “Effect”: “Allow”

      after the test, you confirm that your authorizer is working

  15.  Go to resources in the left navigation pane

  16. Click on Get Method in the Resources

  17. In the Method Execution click on Method Request



  18. In the settings Click on the Authorization edit button



Backout Plan:

Step 1: Sign in AWS Management Console

Step 2: Go to API Gateway dashboard at console.aws.amazon.com/apigateway

Step 3: Click on API Name 

Step 4: Click on Resources and click on Method

Step 5: In Method Execution click on Method Request

Step 6: Click on the Edit button in Authorization and select None and click on the update button

Step 7: Go to Authorizer and click on the delete authorizer button to remove the authorizer


Via CLI:

To delete a Custom Authorizer in an API