(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

Download (DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

Post on 16-Apr-2017

8.939 views

Category:

Technology

3 download

TRANSCRIPT

  • 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

    Stefano Buliani, Product Manager

    October 2015

    Building Secure and Scalable APIs

    Using Amazon API Gateway and AWS Lambda

  • What to Expect from the Session

    1. A new, fully-managed development model

    2. Declare an API with Amazon API Gateway

    3. Application logic in AWS Lambda

    4. Register and login API with Amazon Cognito

    5. Authorization with AWS IAM

    6. Generate and connect the Client SDK

  • Managed

    A new, fully managed model

    InternetMobile appsAWS Lambda

    functions

    AWS

    API Gateway

    cache

    Endpoints on

    Amazon EC2

    Any other publicly

    accessible endpoint

    Amazon

    CloudWatch

    Amazon

    CloudFrontAPI

    Gateway

    API GatewayOther AWS

    services

    AWS Lambda

    functions

  • Key takeaways

    AWS Lambda + Amazon API Gateway means no

    infrastructure to manage we scale for you

    Security is important, and complex make the most of

    AWS Identity and Access Management

    Swagger import and client SDK we can automate

    most workflows

  • The services we are going to use

    Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB

    Host the API and

    route API callsExecute our apps

    business logicGenerate temporary

    AWS credentialsData store

  • The pet store architecture

  • Unauthenticated

    API call flows

    Mobile apps AWS Lambda lambdaHandler

    Register

    LoginAPI Gateway

    Authenticated

    Mobile apps AWS Lambda lambdaHandler

    ListPets

    GetPet

    API Gateway

    Assume Role

    CreatePet

    Sigv4 Invoke with

    caller credentials

    Authorized by IAM

  • Whats new?

    The application can use lots of servers, and I dont

    need to manage a single one.

    Authorization of API calls is delegated to AWS. We just

    need to focus on our IAM roles.

    Deployment of the API is automated using Swagger.

  • API definition and Swagger

  • Amazon API Gateway overview

    Manage deployments to

    multiple versions and

    environments

    Define and host APIs

    Leverage Identity and

    Access Management to

    authorize access to your

    cloud resources

    Leverage AWS Auth

    DDoS protection and

    request throttling to

    safeguard your back end

    Manage network traffic

  • Method and integration

  • Resources and methods

    POST Registers a new user in our DynamoDB table/users

    POST Receives a user name and password and authenticates a user

    /login

    POST Creates a new pet in the database

    GET Retrieves a list of pets from the database

    /pets

    GET Retrieves a pet by its ID/pets/{petId}

    Unauthenticated

    Authenticated

  • Method Response

    Integration Request

    Method Request

    Method

    Automating the workflow with Swagger

    /users:post:summary: Registers a new userconsumes:- application/json

    produces:- application/json

    parameters:- name: NewUser

    in: bodyschema:$ref: '#/definitions/User

    x-amazon-apigateway-integration:type: awsuri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31...

    credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke...

    responses:200:

    schema:$ref: '#/definitions/RegisterUserResponse'

  • Benefits of using Swagger

    API definitions live in our source repository with the

    rest of the app.

    They can be used with other utilities in the Swagger

    toolset (for example, documentation generation).

    API can be imported and deployed in our build

    script.

  • Request routing and exceptions

  • High performance at any scale;

    Cost-effective and efficient

    No Infrastructure to manage

    Pay only for what you use: Lambda

    automatically matches capacity to

    your request rate. Purchase

    compute in 100ms increments.

    Bring Your Own Code

    Lambda functions: Stateless, trigger-based code execution

    Run code in a choice of standard

    languages. Use threads, processes,

    files, and shell scripts normally.

    Focus on business logic, not

    infrastructure. You upload code; AWS

    Lambda handles everything else.

    AWS Lambda Overview

  • The Lambda handler

    lambdaHandler

    in our Java

    source

    Register action

    Login action

    Create Pet action

    Get Pet action

    Credentials

    generation

    Pet store

    database

    Amazon API

    Gateway

    Integration request

  • Exception to HTTP status

    Register action

    Login action

    Create Pet action

    Get Pet action

    BadRequestException

    BAD_REQUEST +

    Stack Trace

    InternalErrorException

    INTERNAL_ERROR +

    Stack TracelambdaHandler

    in our Java

    source

    Amazon API

    Gateway

    responses:

    "default":

    statusCode: "200"

    "BAD.*":

    statusCode: "400"

    "INT.*":

    statusCode: "500"

  • Mapping templates are a powerful tool

    Learn more about mapping templates in our docs

    http://amzn.to/1L1hSF5

  • Retrieving AWS credentials

  • Amazon Cognito overview

    Manage authenticated and

    guest users across identity

    providers

    Identity management

    Synchronize users data

    across devices and

    platforms via the cloud

    Data synchronization

    Securely access AWS

    services from mobile

    devices and platforms

    Secure AWS access

  • The API definition

    POST

    Receives a user name and password

    Encrypts the password and creates the user account in DynamoDB

    Calls Amazon Cognito to generate credentials

    Returns the user + its credentials

    /users

    POST

    Receives a user name and password

    Authenticates the user against the DynamoDB database

    Calls Amazon Cognito to generate credentials

    Returns a set of temporary credentials

    /login

  • Retrieving temporary AWS credentials

    Call Login API,

    no auth required

    Client API Gateway Backend

    /loginLogin

    action

    User

    accounts

    database

    Credentials

    verified

    Get OpenID token

    for developer

    identity

    Receives

    credentials to

    sign API calls

    Identity ID +

    token

    Get credentials for

    identity

    Access key +

    secret key +

    session token

    /login

    1.

    2.

    3.

  • Authorizing API calls

  • The Pets resources require authorization

    POST

    Receives a Pet model

    Saves it in DynamoDB

    Returns the new Pet ID

    GET

    Returns the list of Pets stored in DynamoDB

    /pets

    GET

    Receives a Pet ID from the path

    Uses mapping templates to pass the path parameter to the Lambda function

    Loads the Pet from DynamoDB

    Returns a Pet model

    /pets/{petId}

  • Using the caller credentials

    credentials:

    arn:aws:iam::*:user/*

    Using the console Using Swagger

  • The IAM role defines access permissions

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Action": [

    "dynamodb:GetItem",

    "dynamodb:PutItem",

    "dynamodb:Scan",

    "lambda:InvokeFunction",

    "execute-api:invoke"

    ],

    "Resource": [

    "arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets",

    "arn:aws:lambda:us-east-1:xxxxx:function:PetStore,

    "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets"

    ]

    }

    ]

    }

    The role allows calls to:

    DynamoDB

    API Gateway

    Lambda

    The role can access specific

    resources in these services

  • One step further: Fine-grained access permissions

    InternetClient

    API

    Gateway

    AWS Lambda

    functions

    Amazon

    CloudFrontDynamoDB

    CognitoId2

    "Condition": {

    "ForAllValues:StringEquals": {

    "dynamodb:LeadingKeys": [${cognito-

    identity.amazonaws.com:sub}"],

    "dynamodb:Attributes": [

    "UserId","GameTitle","Wins","Losses",

    "TopScore","TopScoreDateTime

    ]

    },

    "StringEqualsIfExists": {

    "dynamodb:Select": "SPECIFIC_ATTRIBUTES

    }

    }

    Executes with

    this role

    UserID Wins Losses

    cognitoId1 3 2

    cognitoId2 5 8

    cognitoId3 2 3

    The credentials and context (Cognito ID) are passed along

    Both AWS Lambda & DynamoDB will follow the access policy

  • Authenticated flow in depth

    Mobile apps AWS Lambda lambdaHandlerAPI Gateway

    Sigv4Invoke with

    caller credentials

    Service calls are

    authorized using

    the IAM role

    Learn more about fine-grained access permissions

    http://amzn.to/1YkxcjR

    DynamoDB

  • Benefits of using AWS auth & IAM

    Separation of concerns our authorization strategy is

    delegated to a dedicated service

    We have centralized access management to a single

    set of policies

    Roles and credentials can be disabled with a single

    API call

  • AWS credentials on the client

  • 1-click SDK generation from the console

  • The client SDK declares all methods

  • The AWSCredentialsProvider

    We implement the AWSCredentialsProvider interface

    The refresh() method is called whenever the SDK needs new credentials

  • Generated SDK benefits

    The generated client SDK knows how to:

    Sign API calls using AWS signature version 4

    Handle-throttled responses with exponential back-off

    Marshal and unmarshal requests and responses to

    model objects

  • What have we learned?

    AWS Lambda + Amazon API Gateway mean no

    infrastructure to manage we scale for you

    Download the example from the AWSLabs GitHub account

    https://github.com/awslabs/api-gateway-secure-pet-store

    Security is important, and complex make the most of AWS

    Identity and Access Management

    Swagger import and client SDK we can automate most

    workflows

  • Questions?

  • Remember to complete

    your evaluations!

  • Thank you!

    Download the example from the AWSLabs GitHub Account

    https://github.com/awslabs/api-gateway-secure-pet-store

  • Related Sessions

    CMP302 Amazon EC2 Container Service: Distributed

    Applications at ScaleDeepak Singh 10/8, 2:45 PM 3:45 PM Venetian H

    CMP301 AWS Lambda and the Serverless CloudTim Wagner 10/8, 4:15 PM 5:15 PM Venetian H

    ARC309 From Monolithic to Microservices: Evolving

    Architecture Patterns in the CloudDerek Chiles 10/8, 4:15 PM 5:15 PM Palazzo N