2.1.2.2. API Gateway Authorization (IAM, Cognito)

First Principle: API Gateway authorization secures your APIs by controlling who can access them, protecting your application's backend logic and data.

Access control is a critical aspect of securing your APIs. Amazon API Gateway offers various mechanisms to authorize API calls, ensuring only authenticated and authorized users or services can interact with your backend.

Key API Gateway Authorization Options:

• IAM Authorization: Uses AWS Identity and Access Management (IAM) roles and policies to control access. Ideal for internal APIs accessed by other AWS services or IAM users who have AWS credentials.
• Amazon Cognito User Pool Authorizers: Integrates with Amazon Cognito User Pools(a managed user directory). Ideal for external facing APIs (web, mobile apps) where you manage users and their authentication. Cognito handles user sign-up, sign-in, and tokens.
• Lambda Authorizers (formerly Custom Authorizers): A Lambda function that you provide, which processes incoming requests and returns an IAM policy document to allow or deny the request. Offers highly flexible and custom authorization logic.
• API Keys: (A simple method where clients must include an API key in the request header.) Provides a basic level of access control, often used for usage plans and throttling. Not a strong authentication mechanism alone.

Scenario: You're developing a public-facing API for a mobile application, and you need to manage user authentication (sign-up, sign-in) and authorize access to your API endpoints based on authenticated user identities. Additionally, you have some internal APIs that should only be accessible by specific IAM roles.

Reflection Question: How would you use Amazon Cognito User Pool Authorizers for your public APIs and IAM authorization for internal APIs to secure your API Gateway endpoints and protect your application's backend logic?