Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale.  In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda.  Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.  We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stefano Buliani, Product Manager
October 2015
Building Secure and Scalable APIs
Using Amazon API Gateway and AWS Lambda

2. What to Expect from the Session
1. A new, fully-managed development model
2. Declare an API with Amazon API Gateway
3. Application logic in AWS Lambda
4. Register and login API with Amazon Cognito
5. Authorization with AWS IAM
6. Generate and connect the Client SDK

3. Managed
A new, fully managed model
InternetMobile apps
AWS Lambda
functions
AWS
API Gateway
cache
Endpoints on
Amazon EC2
Any other publicly
accessible endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
API Gateway
Other AWS
services
AWS Lambda
functions

4. Key takeaways
AWS Lambda + Amazon API Gateway means no
infrastructure to manage – we scale for you
Security is important, and complex – make the most of
AWS Identity and Access Management
Swagger import and client SDK – we can automate
most workflows

5. The services we are going to use
Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB
Host the API and
route API calls
Execute our app’s
business logic
Generate temporary
AWS credentials
Data store

6. The pet store architecture

7. Unauthenticated
API call flows
Mobile apps AWS Lambda lambdaHandler
Register
Login
API Gateway
Authenticated
Mobile apps AWS Lambda lambdaHandler
ListPets
GetPet
API Gateway
Assume Role
CreatePet
Sigv4 Invoke with
caller credentials
Authorized by IAM

8. What’s new?
The application can use lots of servers, and I don’t
need to manage a single one.
Authorization of API calls is delegated to AWS. We just
need to focus on our IAM roles.
Deployment of the API is automated using Swagger.

9. API definition and Swagger

10. Amazon API Gateway overview
Manage deployments to
multiple versions and
environments
Define and host APIs
Leverage Identity and
Access Management to
authorize access to your
cloud resources
Leverage AWS Auth
DDoS protection and
request throttling to
safeguard your back end
Manage network traffic

11. Method and integration

12. Resources and methods
• POST – Registers a new user in
our DynamoDB table/users
• POST – Receives a user name
and password and authenticates a
user
/login
• POST – Creates a new pet in the
database
• GET – Retrieves a list of pets from
the database
/pets
• GET – Retrieves a pet by its ID/pets/{petId}
Unauthenticated
Authenticated

13. Method Response
Integration Request
Method Request
Method
Automating the workflow with Swagger
/users:
post:
summary: Registers a new user
consumes:
- application/json
produces:
- application/json
parameters:
- name: NewUser
in: body
schema:
$ref: '#/definitions/User’
x-amazon-apigateway-integration:
type: aws
uri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31...
credentials: arn:aws:iam::964405213927:role/pet_store_lambda_invoke
...
responses:
200:
schema:
$ref: '#/definitions/RegisterUserResponse'

14. Benefits of using Swagger
• API definitions live in our source repository with the
rest of the app.
• They can be used with other utilities in the Swagger
toolset (for example, documentation generation).
• API can be imported and deployed in our build
script.

15. Request routing and exceptions

16. High performance at any scale;
Cost-effective and efficient
No Infrastructure to manage
Pay only for what you use: Lambda
automatically matches capacity to
your request rate. Purchase
compute in 100ms increments.
Bring Your Own Code
Lambda functions: Stateless, trigger-based code execution
Run code in a choice of standard
languages. Use threads, processes,
files, and shell scripts normally.
Focus on business logic, not
infrastructure. You upload code; AWS
Lambda handles everything else.
AWS Lambda Overview

17. The Lambda handler
lambdaHandler
in our Java
source
Register action
Login action
Create Pet action
Get Pet action
Credentials
generation
Pet store
database
Amazon API
Gateway
Integration request

18. Exception to HTTP status
Register action
Login action
Create Pet action
Get Pet action
BadRequestException
BAD_REQUEST +
Stack Trace
InternalErrorException
INTERNAL_ERROR +
Stack Trace
lambdaHandler
in our Java
source
Amazon API
Gateway
responses:
"default":
statusCode: "200"
"BAD.*":
statusCode: "400"
"INT.*":
statusCode: "500"

19. Mapping templates are a powerful tool
Learn more about mapping templates in our docs
http://amzn.to/1L1hSF5

20. Retrieving AWS credentials

21. Amazon Cognito overview
Manage authenticated and
guest users across identity
providers
Identity management
Synchronize users’ data
across devices and
platforms via the cloud
Data synchronization
Securely access AWS
services from mobile
devices and platforms
Secure AWS access

22. The API definition
• POST
• Receives a user name and password
• Encrypts the password and creates the user
account in DynamoDB
• Calls Amazon Cognito to generate
credentials
• Returns the user + its credentials
/users
• POST
• Receives a user name and password
• Authenticates the user against the
DynamoDB database
• Calls Amazon Cognito to generate
credentials
• Returns a set of temporary credentials
/login

23. Retrieving temporary AWS credentials
Call Login API,
no auth required
Client API Gateway Backend
/login
Login
action
User
accounts
database
Credentials
verified
Get OpenID token
for developer
identity
Receives
credentials to
sign API calls
Identity ID +
token
Get credentials for
identity
Access key +
secret key +
session token
/login
1.
2.
3.

24. Authorizing API calls

25. The Pets resources require authorization
• POST
• Receives a Pet model
• Saves it in DynamoDB
• Returns the new Pet ID
• GET
• Returns the list of Pets stored in
DynamoDB
/pets
• GET
• Receives a Pet ID from the path
• Uses mapping templates to pass the path
parameter to the Lambda function
• Loads the Pet from DynamoDB
• Returns a Pet model
/pets/{petId}

26. Using the caller credentials
credentials:
arn:aws:iam::*:user/*
Using the console Using Swagger

27. The IAM role defines access permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"lambda:InvokeFunction",
"execute-api:invoke"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:xxxxxx:table/test_pets",
"arn:aws:lambda:us-east-1:xxxxx:function:PetStore”,
"arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/pets"
]
}
]
}
The role allows calls to:
• DynamoDB
• API Gateway
• Lambda
The role can access specific
resources in these services

28. One step further: Fine-grained access permissions
Internet
Client
API
Gateway
AWS Lambda
functions
Amazon
CloudFront
DynamoDB
CognitoId2
…
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [”${cognito-
identity.amazonaws.com:sub}"],
"dynamodb:Attributes": [
"UserId","GameTitle","Wins","Losses",
"TopScore","TopScoreDateTime”
]
},
"StringEqualsIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES”
}
}
…
Executes with
this role
UserID Wins Losses
cognitoId1 3 2
cognitoId2 5 8
cognitoId3 2 3
The credentials and context (Cognito ID) are passed along
Both AWS Lambda & DynamoDB will follow the access policy

29. Authenticated flow in depth
Mobile apps AWS Lambda lambdaHandler
API Gateway
Sigv4
Invoke with
caller credentials
Service calls are
authorized using
the IAM role
Learn more about fine-grained access permissions
http://amzn.to/1YkxcjR
DynamoDB

30. Benefits of using AWS auth & IAM
• Separation of concerns – our authorization strategy is
delegated to a dedicated service
• We have centralized access management to a single
set of policies
• Roles and credentials can be disabled with a single
API call

31. AWS credentials on the client

32. 1-click SDK generation from the console

33. The client SDK declares all methods

34. The AWSCredentialsProvider
We implement the AWSCredentialsProvider interface
The refresh() method is called whenever the SDK needs new credentials

35. Generated SDK benefits
The generated client SDK knows how to:
• Sign API calls using AWS signature version 4
• Handle-throttled responses with exponential back-off
• Marshal and unmarshal requests and responses to
model objects

36. What have we learned?
AWS Lambda + Amazon API Gateway mean no
infrastructure to manage – we scale for you
Download the example from the AWSLabs GitHub account
https://github.com/awslabs/api-gateway-secure-pet-store
Security is important, and complex – make the most of AWS
Identity and Access Management
Swagger import and client SDK – we can automate most
workflows

37. Questions?

38. Remember to complete
your evaluations!

39. Thank you!
Download the example from the AWSLabs GitHub Account
https://github.com/awslabs/api-gateway-secure-pet-store

40. Related Sessions
CMP302 – Amazon EC2 Container Service: Distributed
Applications at Scale
Deepak Singh – 10/8, 2:45 PM – 3:45 PM – Venetian H
CMP301 – AWS Lambda and the Serverless Cloud
Tim Wagner – 10/8, 4:15 PM – 5:15 PM – Venetian H
ARC309 – From Monolithic to Microservices: Evolving
Architecture Patterns in the Cloud
Derek Chiles – 10/8, 4:15 PM – 5:15 PM – Palazzo N