Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers

Pragti Chauhan

~ 2 min read

On AWS, Lambda Authorizers are frequently used with API Gateway, however, one must be careful when working with the policy documents for Lambda Authorizers. This tech talk by Alexandre & Leonardo takes you through interesting examples to showcase the attack vectors for APIs using the AWS API Gateway Lambda Authorizers.

Introduction

Serverless applications have become popular amongst developers due to benefits like better scalability, flexibility, time efficiency, and reduced costs. However, with every technology or framework, awareness of the components involved is essential to ensure that the implementation is as optimised, reliable, and secure as possible.

This tech talk has been presented by Alexandre & Leonardo. Alexandre Sieira is a successful information security entrepreneur and has presented at various security conferences like Black Hat, DEF CON Cloud Village, BSides San Francisco, FIRST conference, etc. Leonardo Viveiros is a software engineer, with experience in building cloud native solutions and front-end applications and is currently working as a DevSecOps specialist.

This video is part of the tech talks presented at Cloud Village. Cloud Village is an open space dedicated for people interested in cloud security and conducts various activities like talks, workshops, CTFs, and discussions around cloud.

What to expect from this video

Following topics have been covered in this video:

  1. Introduction to serverless application security issues in AWS
  2. Why should you care
  3. API Gateway overview
  4. Lambda Authorizers overview
  5. Lambda Authorizers policy document
  6. Security issue with the usage of โ€*โ€ in policy documents

Video

https://www.youtube.com/watch?v=bsPKk7WDOnE

Key Takeaways

Deploying serverless applications on the cloud is easier and faster than ever. AWS also allows users to build and scale serverless applications, however, there are some security concerns due to the way API Gateway Lambda Authorizers policy documents work.

This video introduces you to basic concepts of API Gateway and Lambda Authorizers - services that are often used when working with serverless architectures. The speakers give a walkthrough of how policy documents for Lambda Authorizers function and how the usage of โ€ * โ€ in it can cause unintended behaviour, raising security concerns. This is an interesting tech talk where useful examples have been demonstrated to understand the security issue at hand better and why one must make a conscious decision when making use of โ€ * โ€ in the policy documents.

;