Find best method to determine the source IP address in Lambda

Question

We have implemented rest api using api-gateway and lambdas. The user gets authenticated using AWS Cognito and we have role based authorization configured for users. For one specific role we want the user to allow access to the resources based on their source IP address. In order to do that, we are using $context.identity.sourceIp in lambda to determine the request source ip and then proceeding with the authorization. My question is, is it the best way to implement that and can it be easily spoofed?

Answer

Yes, that's the best way to identify the source IP address in this case.

Can the source IP address be spoofed? Yes - a malicious actor might be coming from a proxy server (or multiple proxy servers). Could someone fake their IP address to look like someone else's (i.e. appear to come from an IP that is legitimately allowed to access your application)? That would be much harder. Not necessarily impossible but certainly harder - unless the source network is compromised or there is some way to "bounce" traffic through that network.

I'm generally not in favour of using source IP as a security measure. Instead, use strong (two-factor) authentication to determine the user identity. Restricting to IP addresses can also have undesired consequences in the event of a disaster - your customer may want to access the service but cannot because they are temporarily coming from a different IP range.

Find best method to determine the source IP address in Lambda

相关内容