By now, you must have heard of the amazing Amazon Echo devices; smart speaker/microphone devices backed up by the Alexa voice service.
Now, the cool thing is you can build your own skills quite easily. Register as a developer and start building your custom skill so your Echo reacts to things like “what’s up for dinner?” or maybe something more useful. Your custom skill does require some programming but where to host this? Sounds event-driven… And yes, your custom skill can be implemented as a Lambda function running on AWS; reliable, scalable and only consuming resources when actually invoked.
So what shall we build? Since we are well into AWS anyway, we’ve choosen to build a skill that can interact with AWS itself:
You Alexa responds Alexa, open easytocloud <welcome tune>Welcome List instances You have the following instances.. Describe kinesis shards You have a four shard Kinesis stream in Ireland
Now, we would like to be able to actually modify resources as well. This, however, would be rather unsafe. Anyone in the same room as the Alexa Echo can now stop and start our EC2 instances (i.e. ‘splunk‘) We need authentication:
You Alexa responds Start splunk You need to authenticate
Speaking the password out loud would not make sense:
YouAuthenticate secret123
Luckily, AWS is a very secure place and it’s IAM users can be authenticated by both a password and a one time token; multi-factor authentication or MFA. We are already using the following devices for secure access to AWS:
You can validate a token from your Lambda skill by using the AWS SDK and make a call to the AWS STS service requesting a ‘session token’. Don’t worry; we are not really interested in this ‘session token’ but it is a neat trick to leverage the existing AWS MFA integration for your own use 🙂
So now we have (supposing the OTP device is displaying 123456):
You Alexa responds Start splunk You need to authenticate Authenticate 123456 Access granted Start splunk I have started splunk
Done already? Not just yet… If you don’t not have an MFA device you can use a virtual MFA application on your phone instead. But AWS can offer something cooler. Remember the AWS notification service SNS; it can send messages to a variety of destinations; email, webserver, SQS and it also supports text messaging (SMS). And that’s what we are going to use. By indicating ‘text’ we request the skill to send a one-time-password to our phone. Then, we use that code to authenticate:
You Alexa responds Authenticate text I've sent the code to your phone
Almost instantly, your phone displays how to proceeed:
You follow instructions and gain access:
You Alexa responds Authenticate 5143 Access granted Start splunk I have started splunk
In reality, there is much more around the solution then explained in the previous steps. To name a few;
- DynamoDB to store user profiles (including phone numbers)
- API Gateway with a second Lambda function for a re-usable implementation of the MFA-authentication service
- Logging into CloudWatch Logs
Feel free to contact us by email for more detailed instructions.
You must be logged in to post a comment.