Situation: There is a dynamo DB containing a column with the username, one with a unique ID, and the data for each post submitted via an Angular frontend (REST) that triggers the lambda function over AWS API gateway.
Angular frontend --> AWS API Gateway (authenticate) --> Lambda function (write to) --> DynamoDB
Challenge: While only allowing authenticated requests to the API there are not user details (only the token)
'identity': {'cognitoIdentityPoolId': None, 'accountId': None, 'cognitoIdentityId': None, 'caller': None}
according to the AWS documentation, there is no way to obtain the user who has triggered the lambda function. Therefore currently I have to rely on the value provided via Angular (which can be manipulated)
I want to ensure that no evil user alters the username (provided by the frontend) by submitting HTTP posts with postman or another tool and therefore overrides or creates entries on behalf of another user. Or any other idea, how to create records in a table (via lambda) in a way that the primary key goes to a particular user, while preventing other authenticated users to submit requests on his behalf
question from:
https://stackoverflow.com/questions/65869733/preventing-malicious-actions-in-dynamo-db-accessed-via-lambda-over-rest 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…