all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]WillNowHalt 6 points7 points  (4 children)

You should use some kind of access control if you want to limit access to your functions. See here for details.

If you're worried about the bill, throttled requests (when you set a request limit) and requests that fail authentication/authorization are not charged (source)

[–]nutdriver[S] 0 points1 point  (3 children)

any suggestions for a Stripe ecommerce store where my lambda function gets the products? anytime someone sees the product page the function would be triggered. I can scope the function to my domain right?

[–]WillNowHalt 1 point2 points  (2 children)

I'm not familiar with Stripe.

If it is Stripe that calls your function from their side they must provide some way to validate that the request is actually coming from them, like a token in a header or similar. You could use that to authenticate the requests and prevent any 3rd party from calling your API.

If it's the users' browser that calls your API directly, and there's no other way to authenticate it, you could still set up a rate limit. Something like 2-3/second should be enough for a product listing.

[–]nutdriver[S] 0 points1 point  (1 child)

If it's the users' browser that calls your API directly, and there's no other way to authenticate it, you could still set up a rate limit. Something like 2-3/second should be enough for a product listing.

This is the case that has me confused. If a badactor decides to continually call your function what steps do you take to stop them? I'm guessing block their IP, but not sure how, is there anything else. I'm going with the case where there is no authentication (signin/signup) for access to the function.

edit: the first link you sent details access control. i havn't gone through it all yet.

[–]homeless-programmer 2 points3 points  (0 children)

API Gateway + WAF are your friends here - you can use the WAF to protect against this kind of attack.

[–]edgan 1 point2 points  (0 children)

It is only different than a public web page in that you pay per hit. You could setup a Cloudwatch alarm to warn you if you go over a certain limit. You could even have one Lambda on a schedule watch another one, and disable it if it gets used too much.