Follow-up to “Skip Lambda…” — Why You Shouldn’t Skip It

In my previous article, “Skip Lambda, Save Data to DynamoDB Directly Using API Gateway; Process Later With Streams”, I describe a technique allowing you to skip using a Lambda function in an API, and deliver data directly to DynamoDB. This followup details why, in many cases, you shouldn’t do that.

Insert You a Lambda for Great Good

First, to be clear, it’s not that you should never do it (see examples at the end). If you fully control your system, it’s a simpler, more efficient, and cheaper way to get data into DynamoDB (or any other AWS system you may need to proxy to). But, there are good reasons to not do this, and I wanted to clarify that it shouldn’t be used anytime it’s technically possible.

I would say that the two main reasons to add a Lambda are to provide data validation and security…

Security

Security depends on your situation. With the proxy technique, you still have security mechanisms, such as either direct Cognito user auth, or API keys. So, you may be covered here. However, what if there are multiple attributes in the data/request that must be evaluated in combination to ensure security? For example, let’s say you use API keys, as well as the client submitting the request passes something like a group name, or an application ID, as you need this to go into the DynamoDB (or any database)…