Activating and using public extensions
Let’s reiterate what we did in the previous chapter one more time. We built a Lambda function that receives an API call from CloudFormation and runs SQL queries against our provisioned RDS cluster.
Now, imagine that we want to publish our custom resource handler and let anyone use it. Since Lambda is hosted on our AWS account, the user of the RDS instance would need to make it accessible from the outside world, thus introducing a security risk. If we were to use Aurora Serverless V1, we could enable the Data API, but we would still need to provide access to it using an IAM role, which introduces the following two-sided security risk:
- We, as the Lambda owner, have to expose our AWS account ID
- We create an IAM role that grants the user with access to the Data API
Even if we ignore the security risks resulting from the above, there are still other risks such as costs and reliability. We host the Lambda function, which...
