10-10-2023, 05:28 PM
Hey @kiroval479,
Great to see that you are migrating from monolith to Serverless.
Definitely, unless your use-case is to have public open APIs. With API Gateway, you have a ton of options of adding auth to APIs - API key, IAM, Cognito, Custom authorizers. https://docs.aws.amazon.com/apigateway/l...o-api.html
No one size fits all, but in the past, I've approached applications that are authenticating users with Cognito User Pool, APIs are also authenticated with Cognito. The scenarios where the APIs are consumed with services on the same AWS account, IAM was the best choice. That said, always ensure there is a basic authentication set with rate limiting and throttle set in the usage plans.
Specifically for AWS service APis, I'd recommend using AWS Signature in the HTTP API requests for additional level security.
Enable CloudWatch logs on both API Gateway and Lambda and with the background of your use-case and idea of how long would you need the logs, set a retention policy. You can set up Cloudwatch alarms for usage-based triggers such as unauthenticated attempts, same origin no of API invocation v/s time in seconds. Also, check out GuardDuty (personally haven't tried it in a production env) which can scan for security threats.
There are tools to detect incoming threats and also for threats as part of code dependencies.
AWS services which can used for scanning and detecting security threats - GuardDuty, Malice, Inspector.
Third party tools - Synk and Thundra
Great to see that you are migrating from monolith to Serverless.
(10-10-2023, 09:10 AM)kiroval479 Wrote: How should I handle authentication and authorization efficiently in a serverless pattern, especially considering the stateless nature of Lambda?
Definitely, unless your use-case is to have public open APIs. With API Gateway, you have a ton of options of adding auth to APIs - API key, IAM, Cognito, Custom authorizers. https://docs.aws.amazon.com/apigateway/l...o-api.html
(10-10-2023, 09:10 AM)kiroval479 Wrote: Are there specific security best practices or patterns when interfacing API Gateway with Lambda?
No one size fits all, but in the past, I've approached applications that are authenticating users with Cognito User Pool, APIs are also authenticated with Cognito. The scenarios where the APIs are consumed with services on the same AWS account, IAM was the best choice. That said, always ensure there is a basic authentication set with rate limiting and throttle set in the usage plans.
(10-10-2023, 09:10 AM)kiroval479 Wrote: How can I ensure secure data transit between services, especially when integrating with other AWS services or external APIs?
Specifically for AWS service APis, I'd recommend using AWS Signature in the HTTP API requests for additional level security.
(10-10-2023, 09:10 AM)kiroval479 Wrote: What monitoring and alerting mechanisms should I put in place to detect and respond to potential security threats?
Enable CloudWatch logs on both API Gateway and Lambda and with the background of your use-case and idea of how long would you need the logs, set a retention policy. You can set up Cloudwatch alarms for usage-based triggers such as unauthenticated attempts, same origin no of API invocation v/s time in seconds. Also, check out GuardDuty (personally haven't tried it in a production env) which can scan for security threats.
(10-10-2023, 09:10 AM)kiroval479 Wrote: Are there any tools or AWS services specifically geared towards enhancing security in a serverless environment?
There are tools to detect incoming threats and also for threats as part of code dependencies.
AWS services which can used for scanning and detecting security threats - GuardDuty, Malice, Inspector.
Third party tools - Synk and Thundra