API Gateway Authoisation And Authentication

IAM

• We can use IAM for both authentication and Authorisation
• We can use AWS Signature V4 Signing to feed IAM credential in the headers
• Can use with API Gateway Resource Policy for cross account
  

Cognito user pools

• Can use AWS Cognito for fully managed user lifecycle, token expires for Authentication
• Must implementation authorisation in the backend
  

Lambda Authorizer (formerly Custom Authorizers)

• Good for third party authentication system
• Token based bearer (JWT, OAuth) use AWS Lambda for authorisation
• Request parameter-based authorizer via (header, query string, stage variables)
• Lambda will then have to return the IAM policy for the user. Result policy is cached