API Gateway Security

Security¶

• IAM Permissions
  • Create an IAM Policy authorisation and attach to User / Role
  • AWS API Gateway verifies IAM permissions passed by the calling application
  • Good to provide access within your own infrastructure
  • Leverages "[[Sig v4]]" capability where IAM credential are in headers
  • Great for users / roles already within your AWS account
• [[Lambda Authorized]] (formerly Custom Authorisers)
  • Uses AWS Lambda to validate the token in header being passed
  • Option to cache result of authentication
  • Helps to use [[OAuth]] / [[SAML]] / 3rd party type of authentication
  • Lambda must return an IAM Policy for the user
  • Pay per Lambda invocation
• Programming/AWS/Cognito/AWS Cognito User Pools
  • Cognito fully manages [[user lifecycle]]
  • AWS API Gateway verifies identity automatically from Programming/AWS/Cognito/AWS Cognito
  • No custom implementation required
  • Cognito only helps with [[authentication]], not [[authorisation]]