AWS Adds IAM, Lambda Features to HTTP APIs

Posted inCloud, Information Technology, Security

IAM and Lambda are the two most requested API’s inside the AWS API Gateway. Now, they have authorizers for HTTP APIs.

On Friday, Amazon Web Services (AWS) introduced new Amazon API Gateway HTTP APIs to its platform. These APIs allow you to create RESTful APIs that are faster and cost less than API Gateway REST APIs. Prior to this announcement, the HTTP APIs already supported JWT authorizers and OAuth 2.0 frameworks, but now is adding AWS Identity and Access Management (IAM) authorizers as well as AWS Lambda authorizers.

IAM controls are incredibly important for all of your business systems, including cloud services. Using least privilege when providing access to systems and processes is always the best way to go. It’s better to not give access to someone and discover that they need it than to create an account for someone who never touches the system. This will reduce the surface area an attacker has to work with when trying to expose your company’s protected data.

From the AWS announcement, “AWS IAM roles and policies offer flexible, robust, and fully managed access controls, without writing any code. You can use IAM roles and policies to control who can create and manage your APIs, in addition to who can invoke them. IAM authorization for HTTP API routes is the best choice for internal or private APIs called by other AWS services like AWS Lambda.

IAM authorization for HTTP API APIs is similar to that for REST APIs. IAM access is determined by identity policies, which are attached to IAM users, groups, or roles. These policies define what identity can access which HTTP APIs routes.”

For those unfamiliar with AWS, Lambda is a service which allows you to run code without worrying about servers, you only pay for the compute used. You can run code for just about any application or back-end service with no administration. You simply upload your code and Lambda handles the rest, including scaling and availability.

When a client makes a request to an HTTP API route, the Lambda authorizer triggers the API Gateway to get authorization. This can be used for custom authorization schemes that adhere to your security protocols. The new HTTP API Lambda authorizers have some new features, including a new payload and response format that offers a Boolean authorization option.

The new version, 2.0, now allows non-string values, but if you need compatibility to use the same Lambda authorizers for REST and HTTP APIs, you have the ability to stick with version 1.0. However, with version 1.0, the Lambda authorizer must return an IAM policy that allows or denies access to your API route, much like the existing REST APIs.

According to the AWS announcement, “IAM and Lambda authorizers are two of the most requested features for Amazon API Gateway HTTP APIs.” Which is why AWS made these authorizers available in regions where API Gateway is available.

The official announcement on the AWS website gives a thorough description of the authorizers. If there’s one thing Amazon as a whole has excelled at, it’s listening to its customers. When the desire or request comes from the masses, they do what they can to make it happen. Such is the case with AWS IAM and Lambda authorizers.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY