我们如何 address/what 成为 "serverless" 资源滥用的良好做法?
How do we address/what are good practices for "serverless" resource abuse?
如果我使用 AWS API 网关创建一个 public 端点,整个世界都可以访问它。这将是一个问题,因为端点会触发 AWS Lambda 函数。如果我们假设我无法通过查询数据源来确定传入 IP 地址过去查询资源的频率,那么保护此端点免受滥用的最佳做法是什么?我还有其他安全选项吗?
我意识到我可以使用 reCaptcha,但这仍然会调用 AWS Lambda 函数,如果在短 window 时间内完成一百万次,将会产生费用。
保护您的 API 网关的一种非常简单的方法
- 使用 TTL 0 的 AWS Cloudfront 并将自定义 headers 从 AWS Cloudfront 传递到 API 网关
- 将 AWS WAF 与 AWS Cloudfront 结合使用
AWS API 网关还可以处理一些基本级别的 DDOS 攻击。
另请查看这些博客以保护 AWS API 网关
您可能正在寻找节流限制配置或使用计划定义:
To prevent your API from being overwhelmed by too many requests,
Amazon API Gateway throttles requests to your API using the token
bucket algorithm, where a token counts for a request. Specifically,
API Gateway sets a limit on a steady-state rate and a burst of request
submissions against all APIs in your account. In the token bucket
algorithm, the burst is the maximum bucket size.
When request submissions exceed the steady-state request rate and
burst limits, API Gateway fails the limit-exceeding requests and
returns 429 Too Many Requests error responses to the client. Upon
catching such exceptions, the client can resubmit the failed requests
in a rate-limiting fashion, while complying with the API Gateway
throttling limits.
As an API developer, you can set the limits for individual API stages
or methods to improve overall performance across all APIs in your
account. Alternatively, you can enable usage plans to restrict client
request submissions to within specified request rates and quotas. This
restricts the overall request submissions so that they don't go
significantly past the account-level throttling limits.
参考文献:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html
如果我使用 AWS API 网关创建一个 public 端点,整个世界都可以访问它。这将是一个问题,因为端点会触发 AWS Lambda 函数。如果我们假设我无法通过查询数据源来确定传入 IP 地址过去查询资源的频率,那么保护此端点免受滥用的最佳做法是什么?我还有其他安全选项吗?
我意识到我可以使用 reCaptcha,但这仍然会调用 AWS Lambda 函数,如果在短 window 时间内完成一百万次,将会产生费用。
保护您的 API 网关的一种非常简单的方法
- 使用 TTL 0 的 AWS Cloudfront 并将自定义 headers 从 AWS Cloudfront 传递到 API 网关
- 将 AWS WAF 与 AWS Cloudfront 结合使用
AWS API 网关还可以处理一些基本级别的 DDOS 攻击。
另请查看这些博客以保护 AWS API 网关
您可能正在寻找节流限制配置或使用计划定义:
To prevent your API from being overwhelmed by too many requests, Amazon API Gateway throttles requests to your API using the token bucket algorithm, where a token counts for a request. Specifically, API Gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs in your account. In the token bucket algorithm, the burst is the maximum bucket size.
When request submissions exceed the steady-state request rate and burst limits, API Gateway fails the limit-exceeding requests and returns 429 Too Many Requests error responses to the client. Upon catching such exceptions, the client can resubmit the failed requests in a rate-limiting fashion, while complying with the API Gateway throttling limits.
As an API developer, you can set the limits for individual API stages or methods to improve overall performance across all APIs in your account. Alternatively, you can enable usage plans to restrict client request submissions to within specified request rates and quotas. This restricts the overall request submissions so that they don't go significantly past the account-level throttling limits.
参考文献:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-throttling.html