By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Change the existing Architecture to a more secure, flexible one

0

Hello, We have this architecture that connects 2 AWS accounts (client and server) and a web application. All the API calls from the web app are going through the client AppSync to separate lambdas related to different services and those lambdas connect to the server account to get ML models, to connect to server RDS (through a limited access user), etc. We implemented this architecture since the server is not authorized to access any of the client data therefore we are loading encrypted ml models to the client-side lambda memory to do the inferencing. About the RDS connection, we use that to connect to server RDS to get common data for all the clients. Now we want to restructure this so that all these API calls from client-side lambdas are going through a server-side AppSync without direct RDS and lambda connections so that we can implement a subscription mechanism to validate each client on the server-side App Sync. Can I get your suggestions on this?

Topics
ServerlessComputeMigration & ModernizationAnalyticsDatabaseNetworking & Content DeliveryMicroservices
Tags
AWS LambdaAmazon Relational Database ServiceNetworking & Content DeliveryMicroservices
Language
English
Jehan
asked 2 months ago117 views
1 Answer
0

One option you have is to enable IAM authentication in AppSync, and allow the client lambda to assume a restricted role in your server account that will give them access to the GraphQL resources (query, mutation, subscriptions, etc). How many client accounts do you need to manage? Does each client account need to have different authorization rules?

AWS
EXPERT
MassimilianoAWS
answered 2 months ago
  • Jehan
    2 months ago

    Thank you for your answer. How do you suggest we do the authentication of each user in the server account? Each user should be authenticated to find out whether the user is a Pro user or not.

    To answer your questions, Clients can be hundreds each having a separate AWS account. Rules are simple. We are going to implement pro and standard subscription levels where pro clients have no limitations but the standard clients are only allowed for some requests (They are not permitted to do inferencing for some data that becomes available for certain weeks of the month).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content