AWS Lambda Access from S3 Only with API Gateway
Question
What i am trying to accomplish is to allow a lambda function to be executed by a request from a specified S3 bucket. The API Gateway is used to communicate to the lambda functions. I need to allow the usage of of the endpoint based on the S3 bucket only.
I can set up CORS, but that is not what i intend to do. I need more than just a browser security. All my allowed requests must be coming from the S3 bucket only. How can i create such a policy or validation in API Gateway? Or is there any other way to accomplish this task?
I am explaining more now. So think that i have an S3 bucket which has a static website. I also have a lambda function. Now my website wants some data to be loaded, so i am calling the lambda function using my API gateway. The API is open right now. There is no authentication or CORS. I need my API Gateway to allow request if it coming from that particular S3 bucket only. We don't want the API to just be open. Now CORS are just browser security, so we want more than that. I have searched a lot for this particular use case, but couldn't find anything.
2 answers
solution1
1 2020-07-22 19:07:45
S3 is not a service that "calls" other services such as Lambda or API Gateway.
I believe what you are looking for is to leverage S3 Events, in which case an event from S3 (like object creation) can trigger a lambda execution. See here: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
solution2
0 2020-07-23 06:31:30
I want to restrict the world to use the lambda but allow it only to be accessed from my S3. again I am using the API gateway to communicate.
Since you want to restrict the world from accessing your lambda function, basically you need to place your AWS Lambda within a VPC and make your API Gateway private . The API Gateway will need to have a resource policy which is a JSON object specifying the VPC (or set of IP addresses) that has access to the AWS Lambda . Any request outside the VPC range will be blocked by the API Gateway .
Create a
VPCAssign this
VPCto your lambda functionCreate an
IAMrole with the followingS3 policyto specify which bucket can access your lambda function. Attach this role to your lambda function.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::your-s3-bucket/*", "arn:aws:s3:::your-s3-bucket" ] } ] }You need to make your
API Gatewayprivate (you will find this option in the settings) and allocate a resource policy to it:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:{region}:{accountId}:{api-id}/*/*/*", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-1234" } } } ] }
Don't forget to redeploy your API Gateway once you make these changes.
EDIT: If you want to restrict S3 bucket access, navigate to your bucket and it will have something called as a Bucket Policy . Add the following sample bucket policy to it (you'll need to edit it according to your use case). This policy will deny bucket access to everything outside the VPC specified.
Refer this: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html :
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::yours3bucket",
"arn:aws:s3:::yous3bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-1234"
}
}
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.