Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers

Pragti Chauhan
Feature image


Serverless applications have become popular amongst developers due to benefits like better scalability, flexibility, time efficiency, and reduced costs. However, with every technology or framework, awareness of the components involved is essential to ensure that the implementation is as optimised, reliable, and secure as possible.

This tech talk has been presented by Alexandre & Leonardo. Alexandre Sieira is a successful information security entrepreneur and has presented at various security conferences like Black Hat, DEF CON Cloud Village, BSides San Francisco, FIRST conference, etc. Leonardo Viveiros is a software engineer, with experience in building cloud native solutions and front-end applications and is currently working as a DevSecOps specialist.

This video is part of the tech talks presented at Cloud Village. Cloud Village is an open space dedicated for people interested in cloud security and conducts various activities like talks, workshops, CTFs, and discussions around cloud.

What to expect from this video

Following topics have been covered in this video:

  1. Introduction to serverless application security issues in AWS
  2. Why should you care
  3. API Gateway overview
  4. Lambda Authorizers overview
  5. Lambda Authorizers policy document
  6. Security issue with the usage of ”*” in policy documents



Key Takeaways

Deploying serverless applications on the cloud is easier and faster than ever. AWS also allows users to build and scale serverless applications, however, there are some security concerns due to the way API Gateway Lambda Authorizers policy documents work.

This video introduces you to basic concepts of API Gateway and Lambda Authorizers - services that are often used when working with serverless architectures. The speakers give a walkthrough of how policy documents for Lambda Authorizers function and how the usage of ” * ” in it can cause unintended behaviour, raising security concerns. This is an interesting tech talk where useful examples have been demonstrated to understand the security issue at hand better and why one must make a conscious decision when making use of ” * ” in the policy documents.

← Back to Academy