I am adding a feature to a piece of software where I want an AWS Lambda function to be triggered via and HTTP request via API Gateway, where the lambda function performs four functions with an ElastiCache cluster
- Posts a Key-Value Pair
- Gets a Key-Value Pair
- Deletes a Key-Value Pair
- Updates a Key-Value Pair
I know that ElastiCache is by default configured to a VPC and that I can configure an AWS Lambda function for the same. However, I want to know what other security measures I can take for the link between API gateway and AWS Lambda and the link between AWS Lambda and ElastiCache. For API Gateway and Lambda I was thinking of using OAuth or something along those lines. With Lambda to ElastiCache though, I am not sure how to ensure only that specific lambda function accesses the ElastiCache other than using a VPC. Are there any other measures I can take to ensure security at those two links?
1 Answer 1
Unless you expose your elasticache cluster publicly (Don't do this) you must run your lambda in the VPC. You can control access to the elasticache cluster by using Security Groups.
Lambda allows ApiGateway to invoke it by adding a resource based policy (or lambda permission) to the lambda function. You don't need any other security between ApiGateway and the Lambda function. Now if you want to control who can call you ApiGateway endpoints and thus invoke your lambda functions you have a couple options.
- Apigateway apikey
- Apigateway custom authorizer
- Have the lambda function perform validation based on some header, parameter or whatever.
- Require IAM credentials to invoke your ApiGateway
Comments
Explore related questions
See similar questions with these tags.