# API Gateway Security

## IAM Permissions

* Amazon API Gateway **requires that you authenticate every request you send by signing the request**.
  * To sign a request, you **calculate a digital signature using a cryptographic hash function**, which returns a hash value based on the input.<br>
* Amazon API Gateway **supports authentication using AWS Signature Version 4 (Sig v4)**.<br>
* **Great when you have pre-existing IAM identities**.

## Lambda Authorizer

* A Lambda authorizer (**formerly known as a custom authorizer**) is an API Gateway feature that **uses a Lambda function to control access to your API**.

* A Lambda authorizer is **useful if you want to implement a custom authorization scheme** that uses a bearer token authentication strategy such as **OAuth or SAML**, or that uses request parameters to determine the caller's identity.

* When a client makes a request to one of your API's methods, **API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output**.<br>

* You can **use caching to limit the number of calls you do to Lambda**.<br>

* **Great for 3rd part tokens**.

## Cognito User Pools

* **Only for authentication**, not authorization.<br>
* A **user pool is a user directory in Amazon Cognito**.<br>
* With a user pool, your **users can sign in to your web or mobile app through Amazon Cognito**.<br>
* Your users can also sign in through **social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers**.<br>
* **No need to write any code**.