2.1.2.2. API Gateway Authorization (IAM, Cognito)
2.1.2.2. API Gateway Authorization (IAM, Cognito)
First Principle: API Gateway authorization secures your APIs by controlling who can access them, protecting your application's backend logic and data.
Access control is a critical aspect of securing your APIs. Amazon API Gateway offers various mechanisms to authorize API calls, ensuring only authenticated and authorized users or services can interact with your backend.
- IAM Authorization: Uses AWS Identity and Access Management (IAM) roles and policies to control access. Ideal for internal APIs accessed by other AWS services or IAM users who have AWS credentials.
- Amazon Cognito User Pool Authorizers: Integrates with Amazon Cognito User Pools(a managed user directory). Ideal for external facing APIs (web, mobile apps) where you manage users and their authentication. Cognito handles user sign-up, sign-in, and tokens.
- Lambda Authorizers (formerly Custom Authorizers): A Lambda function that you provide, which processes incoming requests and returns an IAM policy document to allow or deny the request. Offers highly flexible and custom authorization logic.
- API Keys: (A simple method where clients must include an API key in the request header.) Provides a basic level of access control, often used for usage plans and throttling. Not a strong authentication mechanism alone.
Scenario: You're developing a public-facing API for a mobile application, and you need to manage user authentication (sign-up, sign-in) and authorize access to your API endpoints based on authenticated user identities. Additionally, you have some internal APIs that should only be accessible by specific IAM roles.
ā ļø Exam Trap: Cognito User Pools handle authentication (who are you?). Cognito Identity Pools handle authorization (what AWS resources can you access?). The exam frequently tests this distinction.
