堆栈内存溢出
  简体   繁体   English

AWS API Gateway定制授权者有用吗?

[英]Is AWS API Gateway custom authorizer useful?

 原文  2017-11-04 19:39:10       authentication/ authorization/ aws-lambda/ aws-api-gateway

问题描述

I am looking to use some "serverless api server" for AWS Lambda /zappa that uses a custom API Gateway authorizer for user authentification. 我希望为AWS Lambda / zappa使用一些“无服务器api服务器”,该服务器使用自定义API网关授权方进行用户身份验证。 In serverless AWS lambda service is there a considerable security or cost benefit in using custom authorizer rather than checking the issued JWT token directly in your code controller? 在无服务器的AWS Lambda服务中,使用自定义授权器而不是直接在代码控制器中检查已颁发的JWT令牌是否具有可观的安全性或成本优势? For me checking with the code could be more convenient. 对我来说,检查代码会更方便。

UPDATE I went for pre request hooks, however there is header level authorizer, it is easier to use for CORS, yet it is not supported by zappa I believe. 更新我去了预请求挂钩,但是有标头级授权者,它对于CORS来说更容易使用,但是我相信zappa不支持它。 Also setting mock API for Options might be possible via swagger upload, will update if succeed. 还可以通过招摇上传来为Options设置模拟API,如果成功则将更新。

3 个解决方案

解决方案1
 6  2017-11-04 20:12:36

I don't think there is strictly speaking a security or cost benefit. 我认为严格来讲并没有安全性或成本优势。 The benefit is that it is a single place, a single piece of code, that handles your authorization. 好处是,它是处理您的授权的单个位置,单个代码段。 It prevents you from having to duplicate that authorization code in every single Lambda function you deploy behind your API. 这样可以避免您必须在API背后部署的每个Lambda函数中复制该授权代码。 And it allows you to update a single function to make any changes to your authorization logic. 并且它允许您更新单个功能以对授权逻辑进行任何更改。

From the perspective that it provides a single source of truth for your authorization logic, and it allows you to implement separation of concerns , it could be said to enhance your application's security. 从它为您的授权逻辑提供单一事实来源的角度来看,它允许您实现关注点分离 ,这可以说是增强了应用程序的安全性。

That being said, if your entire API consists of a single Lambda function, then the benefit is somewhat dubious. 话虽这么说,如果您的整个API包含一个Lambda函数,那么其好处就有些可疑了。 I think API Gateway Custom Authorizers really become beneficial when your API has many Lambda functions or when your API Gateway is sitting in front of traditional HTTP servers. 我认为,当您的API具有许多Lambda功能或您的API网关位于传统的HTTP服务器之前时,API网关自定义授权者将真正受益。

解决方案2
 1  2017-11-05 18:44:06

@Mark B makes excellent points I certainly don't dispute anything in his answer. @Mark B提出了很好的观点,我当然不会对他的回答提出任何质疑。 I'd like to contribute to the conversation nevertheless. 尽管如此,我还是想为对话做贡献。

An answer tailored more specifically to you might depend on where the JWTs come from, and how they're being acquired, used, and refreshed. 为您量身定制的答案可能取决于JWT的来源以及如何获取,使用和刷新它们。 Using a custom authorizer may make sense in these scenarios: 在以下情况下,使用自定义授权者可能很有意义:

Use Case 1 用例1

Custom authorizers can be useful if you want to secure a single Lambda behind several different flavors of authorization. 如果要在几种不同的授权方式后面保护单个Lambda,则自定义授权者可能会很有用。 For example, you can create three different API Gateway endpoints that each invoke the same Lambda, but use distinct authorizers. 例如,您可以创建三个不同的API网关端点,每个端点都调用相同的Lambda,但使用不同的授权者。 This ties into Mark's point about the DRY benefits. 这与Mark关于DRY好处的观点联系在一起。

Use Case 2 用例2

Custom authorizers afford you the ability to build IAM permissions inline in your authorizer code. 定制授权者使您能够在授权者代码中内联构建IAM权限。 Rather than assigning a pre-existing IAM role to a caller, you can build any arbitrary set of permissions you like. 无需为呼叫者分配一个预先存在的IAM角色,您可以构建自己喜欢的任意权限集。 Note that this can easily become a nasty attack vector if you're somehow using (untrusted) user input to assign IAM permissions. 请注意,如果您以某种方式使用(不受信任的)用户输入来分配IAM权限,则这很容易成为令人讨厌的攻击手段。

Use Case 3 用例3

Lambdas are great for hiding secrets. Lambda非常适合隐藏秘密。 For example, you have a front-end JS app and you need to participate in OAuth 2.0 flows that require client id and client secret. 例如,您有一个前端JS应用程序,并且需要参与需要客户端ID和客户端密钥的OAuth 2.0流。 Or you need to call endpoints that require API keys of some sort. 或者,您需要调用需要某种API密钥的端点。 Clearly, you can't expose these secrets to the browser. 显然,您无法将这些秘密公开给浏览器。

These values can be encrypted and stored in environment variables specific to the Lambda function. 这些值可以加密并存储在 Lambda函数特定的环境变量中 While you could certainly take this approach with your back-end lambda, using an authorizer instead has the following benefit: 尽管您当然可以在后端lambda上采用这种方法,但是使用授权者具有以下好处:

I like being able to restrict the scope of these secrets as tightly as possible. 我喜欢能够尽可能严格地限制这些秘密的范围。 By using an authorizer, my application can remain blissfully unaware of these secrets. 通过使用授权者,我的应用程序可以很高兴地不知道这些秘密。 This ties into Mark's point about separation of concerns. 这与Mark关于关注点分离的观点联系在一起。

IAM and Least Privilege IAM和最低权限

I prefer that my back end code never gets invoked by unauthorized parties. 我更喜欢我的后端代码永远不会被未经授权的各方调用。 For this reason, I use an authorizer of some type on virtually every API Gateway resource I create. 因此,实际上我在创建的每个API网关资源上都使用了某种类型的授权者。 I have used custom authorizers, but they're kind of my last resort. 我曾经使用过自定义授权者,但它们是我的最后选择。 I lean on IAM authorization most of the time, using Cognito to trade tokens for temporary IAM credentials. 我大部分时间都依靠IAM授权,使用Cognito将令牌交换为临时IAM凭据。

If you perform authorization in your back-end lambda, rather than in an authorizer, you can't be as restrictive when defining the IAM contols around your back-end lambda. 如果您在后端Lambda中而不是在授权者中执行授权,则在围绕您的后端Lambda定义IAM控制时,您将不会受到太多限制。 This is a violation of the principle of least privilege . 这违反了最低特权原则 This isn't just a matter of code organization and application architecture; 这不仅仅是代码组织和应用程序体系结构的问题; it's a legitimate security concern. 这是合法的安全问题。 You're essentially exposing more attack surface than you have to. 本质上,您要暴露的攻击面要多得多。

Furthermore, the real power of IAM shines when your back end grows. 此外,当您的后端增长时,IAM的真正威力也将熠熠生辉。 Your back-end lambda may need to write to S3, invoke other Lambdas, publish to SNS or SQS, interact with RDS or DynamoDB, etc. I'd suggest that "best practice" dictates that all of this access is governed by strict IAM policies. 您的后端Lambda可能需要写入S3,调用其他Lambda,发布到SNS或SQS,与RDS或DynamoDB交互等。我建议“最佳实践”指示所有此访问都受严格的IAM约束。政策。 In my experience, using an API Gateway authorizer (of any type, not necessarily custom) to assign a role is the most straightforward way to accomplish this. 以我的经验,使用API​​网关授权者(任何类型,不一定是自定义)来分配角色是完成此任务的最直接方法。

解决方案3
 0  2019-03-16 01:01:46

To the cost part of the question. 到成本部分的问题。 Authorizer will be a separate charge for one additional lambda call, and new cpu time with its own 100ms minimum charge. 授权者将为另外一个lambda呼叫和新的CPU时间分别收取100ms的最低费用。 This may be significant costs if there are many short lambdas in backend, could be doubling cost of each of them. 如果后端中有许多短的lambda,这可能是一笔不小的费用,可能会使它们中的每一个的成本加倍。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用自定义授权者上下文在AWS API网关上添加标头不起作用 - Adding a header on AWS API gateway using custom authorizer context does not work 从自定义授权方中的 API 网关方法 ARN 获取 AWS Lambda 函数名称或 ARN - Get AWS Lambda Function Name or ARN from API Gateway Method ARN in Custom Authorizer 自定义授权者与Cognito - 对amazon api网关的身份验证 - Web应用程序 - Custom authorizer vs Cognito - authentication for amazon api gateway - Web application API网关自定义授权程序:控制错误消息和代码 - API Gateway Custom Authorizer: Control error message and code 使用AWS API Gateway的客户端证书 - Client certificates with AWS API Gateway 使用Authkit的Pylons自定义授权者? - Pylons custom authorizer with Authkit? AWS API Gateway - 一切都“需要 API 密钥” - AWS API Gateway - "Require API key" on everything 带有生成的Javascript SDK的AWS API Gateway UnrecognizedClientException - AWS API Gateway UnrecognizedClientException with Generated Javascript SDK 如何使用AWS签名授权 4 -> API 网关 -> Lambda - How to authorize with AWS signature 4 -> API Gateway -> Lambda 需要AWS API网关身份验证标头 - AWS API-Gateway Authentication Headers required
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM