Restrict AWS Lambda invocation to a single Alexa skill

0
votes

I am trying to learn Alexa skill programming as part of which I have set up a skill interface in the Amazon developer portal and the corresponding AWS Lambda function. The skill is functioning fine but I have a question on the security aspect of the Lambda function. I have selected Alexa Skill Kit as the trigger for the Lambda function and am also comparing the application id in the request to the application id of the skill to verify request is intended for the function. (https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/handling-requests-sent-by-alexa).

But even then how do I restrict the Lambda function to be invoked by another skill which gets to know the Lambda arn? Can this not be misused to waste compute resources etc?

3
amazon-web-servicesaws-lambdaalexaalexa-skills-kit

3 Answers

0
votes

You already answered your own question. Since you are checking this specific Alexa skill ID in your lambda function it will be almost impossible to call it from anywhere else then this skill. exmple:

exports.handler = function(event, context, callback){
  var alexa = Alexa.handler(event, context, callback);
  // security so this set APP_ID from this specific Alexa skill is the onlly one that can execute this code
  alexa.appId = APP_ID;
  alexa.registerHandlers(handlers);
  alexa.execute();
};

where APP_ID is the id if you specific Alexa skill that only has the right to execute this function.

hope this helps you forward.

0
votes

New in the AWS dashboard for lambda functions is a check box when creating the role for an Alexa device that allows you to lock down the lambda function solely for a specific skill application, by ticking the box and entering the skill ARN the lambda function is only callable by that application. The previously mentioned method of including alexa.appId = APP_ID; variable in the lambda function call is a second security check, So both methods are recommended.

-1
votes

ARN is completely private to you and it's upto you to decide to it to another trigger or not. If you still want to restrict you can create a custom role in IAM and assign that role to lambda. Then only those trigger which has that specific role would be able to execute lambda.