Normally, a csrf token is generated by the server and then sent to the client. When the client submits a form, the token is passed back to the server, which then gets verified.

If I am just using API Gateway and Lambda, how would I ensure that all POST/PUT requests are valid, and protect against csrf attacks? There isn't much written about the subject that I could find, and I'm not sure how to persist a generated csrf token so that all lambda functions can access it anyway.

Is this something that AWS already handles for me, or do I need to specifically configure it in a special way?

While I haven’t done (or even tried) that myself, 2 possible solutions could be:

• The obvious one: Persist the data in one of the storages offered by AWS
• The less obvious one: use a token that does not need persistence. For instance, JWT (JSON web tokens) can be used statelessly insofar as all servers (in your case: lambda functions) only need to know a shared secret to be able to verify client-side tokens. To prevent re-using a previously generated and used token (in other words: ensure a token is used only once), you could add data to the token payload which describes the form, for instance using an entity identifier plus version number, or simply add a expiration timestamp to the token payload – whatever fits your use case.