1

I have an AWS static site in an S3 bucket, accessible through CloudFront and a bunch of lambda functions that form the backend of the site. Is there anything else I can/should do security wise to guard against someone unauthorized running any of the lambda functions? Since I wanted to make sure the webpage didnt offer any additional holes it is behind its own WebACL. Since I know the IP's of my users I set up:

  • a web ACL for the API Gateway that allows a whitelist of ips (US-east)
  • a web ACL for the CloudFront endpoint that allows the same ips (global)
  • a simple lambda login function that matches a hardcoded password. Successful login sets a token which gets passed to a lambda authorizer.
Rilcon42
  • 115
  • 4
  • There are tons and tons of things you could do. What are your risks? What are you concerned about? – schroeder Nov 05 '19 at 09:26
  • 1
    Get a bench mark of your account, look up "prowler" and read the author's blog. This will highlight how your AWS management plane, coupled with the services you use may be insecure. Then threat model looking at STRIDE and understand how each threat is mitigated. CAIQ-lite is also a good start. But as Schroeder said it boils down to which perspectives you care about, CIA which threat actors and the sophistication/risk appetite. – user2505690 Nov 05 '19 at 21:13

1 Answers1

-1

I have a question is it not possible to spoof here, I am assuming I get to the landing page once I get the ip right?

Then we have the hardcoded password which I am not a fan of.

https://www.owasp.org/index.php/Use_of_hard-coded_password

These are the ones in correlation to your statement I would suggest you go through

https://www.cloudconformity.com/knowledge-base/aws/CloudFront/

These are places to start I guess, also I am Sorry for the formatting issues I have not gotten used to the mobile version.

S S
  • 39
  • 3
  • Is this an answer or a new question. It's difficult to tell. – schroeder Nov 05 '19 at 08:39
  • He wanted things to add on, my concern was that existing measures seemed lacking which is why I have some questions at the start. Sorry for not being clear there but I have attempted an answer. – S S Nov 05 '19 at 09:02
  • It is not possible to spoof ips and still navigate to the site or login. – schroeder Nov 05 '19 at 09:21
  • Not being a fan of hard coded passwords is fine, but is there a reason in this instance? If the answer to that is in the link, can you include the relevant details and how they apply to this situation? – schroeder Nov 05 '19 at 09:24
  • If the things you think the OP should add is in the cloud flare link, include those details as well. – schroeder Nov 05 '19 at 09:25