I'm looking for advice on how to improve the security of my one-on-one chat app built entirely on AWS. Here's my tech stack:
- Authentication: Cognito
- Backend: API Gateway (WebSocket and REST), Lambda
- Storage: S3
- CDN: CloudFront
- Image Recognition: Rekognition
- Database: DynamoDB, Redis
For file uploads and downloads, I generate presigned URLs from the server. My WebSocket and REST APIs all run on Lambda. I support social logins through Google and Apple, plus phone number authentication.
So far, I've thought about implementing a rate limiter on the API Gateway and encrypting API keys within my Lambda functions. Are there other security measures I might be missing?
3 Answers
Security is such a vast topic! It depends on what you're prioritizing: user data protection, preventing DDoS attacks, or ensuring uptime. Make sure to look at these different areas and allocate enough resources to your security efforts. It can often take up a substantial part of your strategy!
Consider incorporating a private overlay network into your Lambda functions. This way, they wouldn't have public IPs or open inbound ports. If you can integrate this into your mobile app, that could enhance security even further. Using something like OpenZiti can help with this, which allows for a zero trust networking approach. Here’s a helpful blog on how it can be integrated into Lambda: https://blog.openziti.io/my-intern-assignment-call-a-dark-webhook-from-aws-lambda
You might want to consider using Lambda for your WebSocket endpoint carefully. Some devs think Fargate or EC2 could be better suited for more complex chat apps, especially if scalability becomes an issue. However, for one-on-one chats, Lambda can work since it only executes when there's activity on the WebSocket. Just something to think about!
That's true, but remember that it’s not entirely serverless if you go with Fargate or EC2. Just want to weigh your options!
I'm aiming for general security standards, mainly against threats like SMS spoofing and DDoS attacks. I'm set to implement a rate limiter, but I'm just checking if I missed anything basic.