When using services (like DynamoDB) make sure to initialize outside of your lambda code. Ex: module initializer (for Node), or to a static constructor (for Java). Here is an example for nodejs. If you initiate a connection to DDB inside the Lambda function, that code will run on every invoke,
It is also very important to keep your codebase as small as possible and your code path lean as possible. See why optimize code before deployment for more info.
You can read the AWS best security practices @ security center. Here are a few that we recommend w/r/t JAWS.
- Don't give
AdministratorAccessto AWS API keys: While the quick start guide says to create an administrative user withAdministratorAccesspermissions, it only does this to get you going faster. As stated this should not be done in a production environment. Our recommendation is to give your users with API access keyPowerUserAccessat a maximum. The fallout is you will not be able to execute a cloudformation json file from the command line that creates any IAM resources. This should be done from the AWS CloudFront UI, behind a user that has 2FA enabled and a secure password. All the JAWS tooling has a-d, --dont-exe-cfoption that will simply update your CloudFormation file, which can then be executed in the UI.
We recommend using camelCase for project names. JAWS uses CloudFormation heavily and they tokenize resources names with -.