我正在使用API网关创建一个公开可用的API,该API带有lambda函数作为后处理.我已使用自定义安全标头保护了它的安全,该标头使用时间戳实现hmac身份验证,以防止重放攻击. 我知道API网关通过其高可用性来防御DDOS攻击,但是任何无效请求仍将传递给lambda身份验证功能.因此,我猜想攻击者可能会提交无效的未经身份验证的请求,从而导致高昂的成本.造成损坏将需要大量请求,但仍然非常可行.防止这种情况的最佳方法是什么? 谢谢
I am creating a publicly available API using API Gateway which is backed with lambda functions to do some processing. I have secured it with a custom security header that implements hmac authentication with timestamp to protect against replay attacks. I understand that API Gateway protects against DDOS attacks through its high availability, but any invalid requests will still be passed to the lambda authentication function. So, I guess an attacker can submit invalid unauthenticated requests resulting in high costs. It will take a considerable number of requests to cause damage but it is still very doable. What is the best way to protect against that ? Thank you
推荐答案API网关不会向您收取未经身份验证的请求的费用,但是Lambda会向您收取授权者的调用费用.
API Gateway will not charge you for unauthenticated requests, however you would be charged by Lambda for the invocation on the authorizer.
API网关以授权器上的身份验证表达式"的形式提供了对该问题的半有用的缓解,它只是与传入身份源标头匹配的正则表达式.
API Gateway offers a semi-useful mitigation to this problem in the form of the 'identity validation expression' on the Authorizer, which is just a regex that is matched against the incoming identity source header.
除此之外,您可能只想在Authorizer函数中实现某种否定缓存或自行验证,以最大程度地减少计费毫秒数.
Besides that, you might want to just implement some kind of negative cache or validation yourself in the Authorizer function to minimize the billed milliseconds.
更多推荐
具有Lambda集成的安全AWS API Gateway
发布评论