Secure Amazon API Gateway requests with signature v4 using AWS Lambda@Edge

CloudFront → Lambda@Edge → HTTP API → AWS Lambda

Secure API Gateway requests with signature v4 using Lambda@Edge

* When accessing the CloudFront distribution domain name the Lambda@Edge is triggered and signs the request with AWS Signature Version 4.

* The HTTP API is secured by using IAM authorization.

* The role attached to the Lambda@Edge has the permission to invoke the API, so by signing the request an unauthenticated user is able to get the response from the backend Lambda through the HTTP API.

* This pattern demonstrates how to secure an HTTP API but with small changes in Lambda@Edge it can be adapted to secure other AWS services.

< Back to all patterns

Language:: TypeScript
Framework:: AWS CDK

Download this pattern (.zip)

View this pattern on GitHub

Clone repo

git clone https://github.com/aws-samples/serverless-patterns/cd serverless-patterns/cloudfront-le-apigw-cdk

Deploy

cdk deploy

Testing

See the GitHub repo for testing instructions.

Cleanup

Delete the stack: cdk delete.

Additional resources

Serving SSE-KMS encrypted content from S3 using CloudFront

How to Use Lambda@Edge and JSON Web Tokens to Enhance Web Application Security

Created by:

Corneliu Croitoru

Developer at heart, in 2018 joined AWS as a Solution Architect and since 2021 building, jointly with customers, the most exciting and innovative prototypes on AWS.

Follow on LinkedIn