search

fivexl / terraform-aws-sso-elevator

Slack bot to temporary assign AWS SSO Permission set to a user
https://registry.terraform.io/modules/fivexl/sso-elevator/aws/latest
Apache License 2.0
32 stars 3 forks source link

Limitation of request to lambda from internet #93

Open oleksandrsv opened 1 month ago

oleksandrsv commented 1 month ago

Hi, as lambda function is opened to internet and some people may share it's url, AWS can provide 100k requests per second for lambda. It makes no sense for lamda if there are 100-150 users in the company. AWS recommends to add API Gateway and limit it there. However, maybe there is an option to block such requests using default AWS settings for lambda? Thank you.

EreminAnton commented 1 month ago

Hi! Thank you for opening this issue!

The latest version 4.1.0 of the SSO Elevator module includes an integrated API Gateway. You now have the option to choose between using a Lambda URL and the API Gateway. In future releases, the Lambda URL will be deprecated.

Would migrating to the API Gateway address your concerns?

oleksandrsv commented 1 month ago

I mean like these settings:

  # module.aws_sso_elevator.module.http_api[0].aws_apigatewayv2_stage.this[0] will be updated in-place
  ~ resource "aws_apigatewayv2_stage" "this" {
        id              = "default"
        name            = "default"
        tags            = {}
        # (8 unchanged attributes hidden)

      - route_settings {
          - data_trace_enabled       = false -> null
          - detailed_metrics_enabled = true -> null
          - route_key                = "POST /access-requester" -> null
          - throttling_burst_limit   = 1 -> null
          - throttling_rate_limit    = 1 -> null
        }
      + route_settings {
          + data_trace_enabled       = false
          + detailed_metrics_enabled = true
          + logging_level            = (known after apply)
          + route_key                = "POST /access-requester"
          + throttling_burst_limit   = 500
          + throttling_rate_limit    = 1000
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
oleksandrsv commented 1 month ago

So the idea is to limit the execution of lambda by limiting API Gateway to 1 execution at a time at least instead of 500/1000. wdyt?

EreminAnton commented 1 week ago

Hi,

I'm sorry for not getting back to you sooner.

We’ve already implemented a check in the Lambda code to ensure that users cannot submit the same request before the previous one has been processed: https://github.com/fivexl/terraform-aws-sso-elevator/blob/main/src/main.py#L99

Additionally, we’ve restricted access to the created API Gateway using CORS: https://github.com/fivexl/terraform-aws-sso-elevator/blob/main/slack_handler_lambda.tf#L219

cors_configuration = {
  allow_credentials = true
  allow_origins     = [‘https://slack.com’]
  allow_methods     = [‘POST’]
  max_age           = 86400
}

So, only Slack can send requests to this API Gateway, and it does so only when we use the /access command in the Slack bot. I’m not sure if reducing the number of possible requests would help with anything. Are there any other concerns that make you think we should limit the execution of the Lambda function by restricting the API Gateway?