[Question] Lambda invocation - Communication security

[triton3]

Hi,

When a lambda function is invoked from a client application, are the input parameters for the function and the response from the function communicated using HTTPS?

I am confused, and I was wondering if someone could shed some light on this point. The AWS Lambda FAQ mentions that I would need to use API gateway and create Custom APIs to communicate with Lambda functions over HTTPS. However, I noticed that the C++ SDK allows initializing a Lamba client using a client-configuration with HTTPS scheme (see below for example). I also noticed that the default ClientConfiguration() uses HTTPS scheme as well (ClientConfiguration.cpp).

Aws::Client::ClientConfiguration config;
...
config.scheme = Scheme::HTTPS;
auto credentials = Aws::MakeShared<Aws::Auth::CognitoCachingAnonymousCredentialsProvider>("Example", "xxxxx", "ID-POOL");
Aws::Lambda::LambdaClient lambdaClient = Aws::Lambda::LambdaClient(credentials, config);

I would appreciate any information or resource on this. Thanks.

[prestomation]

Hi triton3.

As you discovered, the C++ SDK defaults to using HTTPS to communicate with AWS. In fact, if you look at the list of AWS Lambda Endpoints, AWS Lambda ONLY has https endpoints.

The wording in the API Gateway FAQ is a little confusing. What they mean is that API Gateway gives you more control over how your API is called. You are using HTTPS in either case.

To invoke an AWS Lambda function, you have to POST an authorized AWS sigv4 call to the lambda service at a particular endpoint controlled by Lambda. This means the client must have credentials, must know how to formulate the lambda invoke request correctly, and must know how to sign the request using those credentials. These are the things the AWS SDK for C++ does for you.

With API Gateway, you can create your own RESTful endpoints and use a domain, URI, and HTTP methods defined by you(inside of API Gateway) to call AWS Lambda on the callers behalf. This means callers only need to know the URI scheme and request body that you have defined. It decouples your clients from knowing that you use Lambda under the hood.

Please let me know if you are still confused.

[triton3]

Thanks @prestomation ! Appreciate the quick response :) .