Lambda Authorizer – Secure Access to User’s Data in RDS

The Lambda authorizer will allow users to securely access their own data in the RDS without having to worry about exposing it. This is a major step towards improving security for DBAs across the board.

In order to make sure that your data is secure, you need to implement a serverless lambda authorizer. This will allow the user to enter their credentials and authorize access to their data with just a few clicks.

In this video, you’ll learn how to use Lambda Authorizer to safeguard access to user data in RDS.

  • The Lambda Authorizer function will first authenticate the caller by utilizing the nimbus-jose-jwt library to validate JWT.
  • The Lambda Authorizer method will then produce an output object with an IAM policy in it.
  • The Authorizer will also provide other data, such as sub, which corresponds to the context object’s user-id.
  • If access is authorized after assessing the policy, API Gateway will run the method and invoke the Lambda function that includes the implementation to access user data from RDS.
  • First, we’ll verify whether the user-id supplied in the path argument and the one received by the Lambda Authorizer, i.e sub, are the same in our Lambda function.
  • If this is the case, the database may be used to access user data.

Now it’s time to get to work on the implementation!

Create an instance of the RDS database.

To set up an RDS instance, follow these steps.

  • We’ll start by going to the Services page and then typing RDS.
  • After that, we’ll choose Create Database.
  • We’ll choose Standard Create as our database construction technique.
  • We’ll choose MYSQL as the engine type under Engine Option.
  • Then, in Templates, we’ll choose the Free tier for the time being. RDS Free Tier is intended for use in the development of new applications, testing of current apps, and gaining hands-on experience with Amazon RDS.
  • Then, under Credentials Settings, we’ll give a Password.
  • We’ll make our RDS instance publicly available under Connectivity so that we may connect to it from MYSQL Workbench on our PC.
  • Select Create New from the VPC Group of Security menu and give our Group of Security a name.
  • We will supply a database name, such as mylambdadb, under Additional Information. We’ll now choose Create Database.

Our freshly formed RDS instance may be seen here.

Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

Group of Security

Here we can see the inbound rules of our RDS Group of Security. Note that we will add an entry for the Group of Security of our Lambda function so that it can access the database to get user data.

 

1642513998_836_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

 

 

API Gateway may be used to create an API.

In order to create an API,

  • We’ll navigate to the Services tab and put API Gateway into the search box.
  • After that, we’ll press the Create API button.
  • Then we’ll choose an API type, such as REST API, and click Build.
  • Following that, we’ll give our API a name and then click Create API.
  • We’ll select Create Resource under Actions, then input the Resource name, such as users, and then click Create Resource.
  • Then we’ll pick /users and, under Actions, click Create Resource once again.
  • We will supply the Resource name, user-id, and add curly brackets to user-id in Resource Path, i.e. user-id, so that we may send it as a path parameter.
  • Now we’ll choose /user-id and then click Create Method from the Actions menu.
  • After that, we’ll pick Get and tick the box.
  • After that, we’ll type in the name of our Lambda function and hit Save.
  • We’ll choose Authorizers from the left pane and then construct an Authorizer for our lambda function.
  • The Authorizer will then be attached to our Lambda function. We covered how to develop a Lambda Authorizer in Java in depth in the last lesson.

 

 

1642513998_938_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

  • After setting Authorizer, we’ll open Mapping Templates and then click on Integration Request.
  • We’ll choose here. When there are no templates established, we will click Add mapping template and choose application/json as the Content-Type.
  • Now we’ll pick Empty in the Generate template and retrieve sub from the Lambda Authorizer context object and user-id from the path argument.
  • Finally, under the Actions menu, we will choose Deploy API.

 

1642513999_431_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

Response from the Lambda Authorizer

Lambda Authorizer has returned the sub attribute along with the Policy Document in this case.

1642514000_23_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

 

 

GetUserDetailsHandler

Following is our Handler class in which we will get the value of sub that Lambda Authorizer decoded from the Authorization token and user-id passed as a path parameter using Map<String, String>. First, we will compare them, if they are not the same then it means that the user has provided an invalid user-id. If both of them are the same, then we will invoke UserDetailsService.

import java.util.Map; import com.amazonaws.services.lambda.runtime.Context; import com.amazonaws.services.lambda.runtime.RequestHandler; public class GetUserDetailsHandler implements RequestHandler<Map<String, String>, Object> { public Object handleRequest(Map<String, String> request, Context context) { String INVALID_ID = System.getenv(“INVALID_ID”); String SUCCESS = System.getenv(“SUCCESS”); String NOT_FOUND = System.getenv(“NOT_FOUND”); Response response = new Response(); try { if (request.get(“userid”).equals(request.get(“sub”))) { UserProfile UserProfile = UserDetailsService.getUserDetails(request.get(“userid”)); if (UserProfile == null) { response.setMessage(NOT_FOUND); return response; } response.setMessage(SUCCESS); response.setUserProfile(UserProfile); return response; } response.setMessage(INVALID_ID); return response; } catch (Exception ex) { response.setMessage(ex.getMessage()); return response; } } }

UserDetailsService

The service class for our lambda function is shown below. It retrieves the username, password, and database URL from the environment variables given in the Lambda function settings and gives them to the UserDetailsDao constructor to establish a database connection.

public static UserDetailsService import java.sql.SQLException; public static UserDetailsService import java.sql.SQLException import java.sql.SQLException import java. getUserDetails(String userId) in UserProfile raises an exception. String username = System. SQLException String password = System; getenv(“dbUsername”); getenv(“dbUsername”); getenv(“dbUsername” String url = System; getenv(“dbPassword”); getenv(“dbPassword”); getenv(“dbPassword”); geten UserDetailsDao UserDetailsDao = new UserDetailsDao(username,password,url); UserProfile UserProfile = UserDetailsDao.getUserDetails(userId); return UserProfile; getenv(“dbURL”); getenv(“dbURL”); getenv(“dbURL”); getenv(“dbURL”); getenv(“dbURL”

1642514000_636_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

 

UserDetailsDao

We obtain user data from the database using the user-id supplied to the getUserDetails method in the following class.

import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public UserDetailsDao(String username, String password, String url) throws SQLException if (connection == null || connection.isClosed()); connection = DriverManager.getConnection(url SQLException is thrown by public UserProfile getUserDetails(String userId). ResultSet rs = stmt.executeQuery(query); if (rs.next()) SELECT * FROM UserProfile where user id=”” + userId + “””; Statement stmt = connection.createStatement(); String query = “SELECT * FROM UserProfile where user id=”” + userId + “””; ResultSet rs = stmt.executeQuery(query UserProfile UserProfile = new UserProfile(); UserProfile.setFirstName(rs.getString(“first name”)); UserProfile.setLastName(rs.getString(“last name”)); UserProfile.setAge(rs.getInt(“age”)); UserProfile.setAge(rs.getInt(“age”)); return UserProfile; return null;

UserProfile

String firstName; String lastName; int age; public class UserProfile return firstName; public String getFirstName(); this.firstName = firstName; public void setFirstName(String firstName); return lastName; public String getLastName(); setLastName(String lastName) public void this.lastName = lastName; return age; public int getAge(); this.age = age; public void setAge(int age)

Response

userProfile userProfile; public class Response String message; return message from public String getMessage(); setMessage(public void) (String message) if this.message = message; if this.message = message; if this.message = message; return userProfile; public UserProfile getUserProfile(); setUserProfile(UserProfile userProfile) public void this.userProfile = userProfile;

 

pom.xml

aws-lambda-access-db access-db 4.0.0 jar access-db 0.0.1-SNAPSHOT http://maven.apache.org org.apache.maven.plugins.UTF-8 maven-compiler-plugin 3.6.0 1.8 1.8 1.8 1.8 1.8 1.8 1.8 1.8 True maven-shade-plugin in UTF-8 shade 3.0.0 package mysql mysql-connector-java com.amazonaws aws-lambda-java-core 8.0.27 1.2.0 aws-lambda-java-events com.amazonaws junit 2.2.5 junit 3.8.1 test

 

Testing

Now it’s time to put our skills to the test. We may access user data from the database if we give a valid user-id in the path argument together with a valid token.

1642514001_481_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

As you can see, submitting an invalid user-id in the route argument results in the answer “Invalid User ID.” It’s worth noting that we’ve supplied a valid token with an invalid user-id in this case.

1642514001_168_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

You can see that we gave a valid user-id and a valid token in this case. However, since no data for the user exists in the database, the Lambda function returns “No user information discovered.”

1642514002_118_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

The Authorization token is invalid in this case, therefore the warning “User is not permitted to access this resource with an explicit deny” appears. After confirming JWT, the Lambda Authorizer never sends this request to the Lambda function.

 

1642514002_446_Lambda-Authorizer-Secure-Access-to-Users-Data-in-RDS

Conclusion

With this, we have come to the end of our tutorial. In this tutorial, we learned how we can secure access to users’ data in RDS using Lambda Authorizer. First, we walked through the process of the creation of an RDS database instance. Then we learned to API Gateway may be used to create an API.. After that, we walked through the code of our Lambda function that accesses user data from RDS. And in the end, we tested our implementation using Postman Client.

Stay tuned for more useful instructions in the future, and please leave any feedback in the comments area.

Good luck with your studies!

Watch This Video-

The “aws lambda authorizer python example” is an AWS Lambda function that allows users to secure access to their data in a RDS instance. The function requires no additional configuration and the user can use it out of the box.

Frequently Asked Questions

Can Lambda access RDS?

A: Yes, Lambda can access the RDS interface.

How do I secure API gateway with Lambda authorizer?

A: To secure the API gateway, you need to create a new Lambda function. Once that is done, you can set it to only allow specific HTTP methods. You will also want to configure your Lambda function with policies and authorize(authorization) functions in order for it talk securely over HTTPS.

Are AWS Lambda environment variables secure?

A: Yes, all AWS Lambda environment variables are secure. There has been no known vulnerabilities in the history of this service.

  • aws api gateway lambda authorizer
  • aws lambda authorizer nodejs example
  • aws lambda authorizer jwt token
  • aws api gateway saml authentication
  • aws api gateway jwt authorizer
Total
0
Shares
Share 0
Tweet 0
Pin it 0