Build Serverless REST API on AWS from Scratch — Part I

James Murithi

This tutorial will take you through creating a simple todo API using AWS serverless, NodeJS and DynamoDB. You need some familiarity with the command line. No prior experience with AWS is needed. In Part I we will go through the process of creating an IAM user and grant them some permissions and secure the root account.

Sign up for AWS access

Amazon offers free tier of their services which includes several services you can try for a year. Some are always free. Details here

Login to AWS console

After signing up, logon to AWS console https://console.aws.amazon.com/

AWS console is one of the interfaces through which you can manage cloud resources. I will refer to it console for the rest of the tutorial.

Secure your account

The first thing we want to do is secure our new AWS account. This involves creating an IAM (Identity and Access Management) user and deleting root access keys which provide unrestricted access to your AWS account. You can read more about security best practices here

Create an IAM user

Navigate to IAM screen, click services on the top left of AWS console and find IAM under the Security, Identity & Compliance sub section. Typing IAM in the autocomplete should filter the list of services

Select IAM under Security, Identity and Compliance (bottom right)

On the IAM dashboard click users on the services menu on the left of your screen to get to the user management section. Click add user to add an IAM user

Enter a username and check the access type boxes for “programmatic access” and “AWS management console” boxes

Click through the next steps, keep defaults. On step five reveal your password and secret key, store these somewhere safe.

The secret access key is only visible at this stage, store it somewhere safe

We are now ready to setup permissions for the new IAM user.

To make managing these permissions easier, we’ll create an IAM policy, attach it to an IAM group and add our IAM user to the IAM group. This approach makes granting new users the same set of permissions easier since all you would need to do is add them to the same IAM group.

Create an IAM policy

Select policies from the menu on the right and click create to start the process. You should see an autocomplete box where you can start entering a service name. Type lambda here and select Lambda; these steps will be repeated for all the services we need to grant permissions in our IAM policy.

Select lambda service
Grant all Lambda actions
Select “all resources”, then click the Add additional permissions link at the bottom right

Clicking “add additional permissions” allows us to repeat the process above for other AWS services, repeat the steps above to add permissions for the services below.

  • IAM
  • API Gateway
  • CloudFormation
  • CloudWatch
  • DynamoDB

When finished click review policy at the bottom right and in the next screen name your IAM policy API-Devs, create the IAM policy.

Review and create policy

Best practice would be to tweak the permissions for each services so that the policy contains just what API-Devs need and nothing more, the principle of least privilege. We add all for simplicity in this tutorial

Create an IAM group

Click groups in left navigation menu to start the wizard, then click “create new group”. Name the group API-Developers, when asked for a policy to attach select the one we just created

Delete root access keys

Go back to IAM dashboard, you should see the security recommendation. Delete your root access keys below by visiting the manage security credentials below.

Address the issues above so everything has a green check mark

Take a note of your account name, top right of console menu bar. You will need this account name besides IAM user credentials to login with an IAM user. If you need to change this, go ahead and do that under “My Account”, the change can only be made by root user.

Only root can change the account name, do that here if you need to

Login with IAM user

Logout the root user and login with your new IAM user. On console, enter your account id or account name to avoid logging in as root user (with the email you used to create the AWS account)

Enter your account ID above
AWS should pull your account ID, enter your IAM credentials to login with IAM user

Part II

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade