带有 lambda 的 AWS Cron 作业

Question

I want to set up cron jobs for my application using lambda functions. My current architecture consists of an auto-scaling group behind a load balancer, both inside the same VPC. My intention is to call a specific path to my application, for instance "/cron/task1" using lambdas, and call them at regular intervals using the cron-like syntax. How can I secure my application so that such endpoints can only be reached from lambda functions and not from outside the vpc, while allowing reachability to all other paths of the application from the final users?

Answer 1

Api authorization may be what you need. One of the easiest way(not most secure) to do is;

• Both you lambda and application share a common secret
• When a request is made from lambda to your application you hash all the query parameters like this;

myapp.url/cron/task1?a=value&c=something&b=foobar

You sort parameters in ascending/descending order

{
  "a": "val",
  "b": "foobar"
  "c": "some",
}

• by using the shared common secret you hash all those key and make a new string such as cf23df2207d99a74fbe169e3eba035e633b65d94

now your request will be

myapp.url/cron/task1?a=val&c=some&b=foobar&token=cf23df2207d99a74fbe169e3eba035e633b65d94

• when your application receives this request, it takes token out and sort the rest(the same order lambda used) and using the same secret key it creates a hash.
• if the hashes are matched then you know it is coming from lambda since they both know the same secret. If it isn't, then you can discard that request.

You may keep that secrets in aws kms to not expose and make it more secure.