API Gateway Security

IAM Permissions

  • Amazon API Gateway requires that you authenticate every request you send by signing the request.

    • To sign a request, you calculate a digital signature using a cryptographic hash function, which returns a hash value based on the input.

  • Amazon API Gateway supports authentication using AWS Signature Version 4 (Sig v4).

  • Great when you have pre-existing IAM identities.

Lambda Authorizer

  • A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.

  • A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity.

  • When a client makes a request to one of your API's methods, API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.

  • You can use caching to limit the number of calls you do to Lambda.

  • Great for 3rd part tokens.

Cognito User Pools

  • Only for authentication, not authorization.

  • A user pool is a user directory in Amazon Cognito.

  • With a user pool, your users can sign in to your web or mobile app through Amazon Cognito.

  • Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.

  • No need to write any code.

Last updated