Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
API Gateway Security

IAM Permissions

  • Amazon API Gateway requires that you authenticate every request you send by signing the request.
    • To sign a request, you calculate a digital signature using a cryptographic hash function, which returns a hash value based on the input.
  • Amazon API Gateway supports authentication using AWS Signature Version 4 (Sig v4).
  • Great when you have pre-existing IAM identities.

Lambda Authorizer

  • A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
  • A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity.
  • When a client makes a request to one of your API's methods, API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.
  • You can use caching to limit the number of calls you do to Lambda.
  • Great for 3rd part tokens.

Cognito User Pools

  • Only for authentication, not authorization.
  • A user pool is a user directory in Amazon Cognito.
  • With a user pool, your users can sign in to your web or mobile app through Amazon Cognito.
  • Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
  • No need to write any code.