Amazon API security with API Keys #22
Comments
|
I am using javascript sdk in mobile app development. |
|
We do not recommend using API keys for security. API keys are used primarily to meter API access. You should rely on some form of stronger authentication such as Sigv4 or an Oauth flow with custom authorizers. The pet store example uses Sigv4. |
|
Hi My question is that during Developement i use profile credential provider, so if depolyed what credential provider lamda function will use?how do i set env variable / property file or .aws file to provide credentials? |
|
The "profile" for the Lambda function is based on the execution role you've configured for the function itself. From the Lambda console you can see the name of the execution role, use the IAM console to modify the access policy for the role and configure which services the Lambda function is allowed to communicate with |
|
If my java lamda function has code for eg If i have understood your point, the api key and access key during lamda execution will be read from the execution role defined in lambda console and not for sirak user profile (the dev user) ? |
|
correct |
I have deployed my rest API on amazon API gateway and I have a scenario in front of me with security concern. I am using an api key for all the api requests, I wanna know if the that api key is exposed somehow and as we know the same api key is being used by already published apps...Then what are my options?
Also as mentioned here I can have only 10000 API keys per AWS account if I want the api keys to be unique per user for it to be more secure but what if the number of user shoots out to be more than 10000.
The text was updated successfully, but these errors were encountered: