Securing the API Gateway / Lambda Invocation? #1257
Comments
toast-gear
changed the title
|
Thanks for the feedback, current lock down is limited. Only the signature is verified. For well signed event the lambda only scales if the repo is existing, part of the org and have jobs queued. We certainly like to have a better protection. GitHub published IP addresses from which traffic is sent, so limitting on the IP addresses is a posibility. But we have also to keep in mind that for GHES the situation is different. So that requires that we have build a flexible and configurable solution. AWS also has this blog post that explains how to limit traffic to the API Gateway: https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/ Limitting by role and policy that only the API gateway can call the webhook lambda sound as a good plan to me. Feel free to start a PR (while working on the PR feel free to create a draft PR). Maybe an ideaa to split the PR in two PR's |
npalm
added
enhancement
|
I did some research related to securing the API endpoint (further). First GitHub does not recommend to protect based IP addresses with an allow list. They provide an API endpiont to get the CDIR they are using. Currently we use API Gateway version 2, aka HTTP gateway. For this gateway it seems not possible to project based on an allow / deny list. This is an option for version 1. Events received by the webhook are verified based on the signature, this is done by the lambda and not by the gateway. IP Allowlists could be implemented but require the following
|
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. |
What is the current way of locking down the solution to only being callable by GitHub's webhook IP addresses? https://api.github.com/meta
Would it be worth raising a PR to have a solution for this baked in? I would think anyone deploying this would want to ensure only GitHub and perhaps the ability to include some custom IPs can call the webhook Lambda?
EDIT Perhaps it's worth adding an explicit role to the API Gateway Lambda integration to introduce a condition assessing the
aws:SourceIpkey for GitHub'shookaddress ranges? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htmlThe language isn't great but I think this is the attribute we would need to set
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_integration#credentials_arn
I'm basing this off the fact that in v1 https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration#credentials credentials definitely the correct attribute
The text was updated successfully, but these errors were encountered: