In security and access control, authentication and authorization are two distinct yet interconnected concepts. Authentication is the process of confirming the identity of a user or system, while authorization defines the actions that the authenticated user is permitted to perform within your system. Although API Gateway integrates directly with Cognito, it lacks built-in support for fine-grained authorization. In a previous article, we looked at implementing fine-grained authorization using a...
about 1 month ago • 4 min read
A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users. Some of it has come from this article by Auth0 [1], which makes a strong statement about using ID tokens: However, things are usually more nuanced. In some cases, using ID tokens instead of access tokens is both acceptable and pragmatic. Cognito User Pools might be one of these cases. Cost of using access tokens The common practice amongst Cognito users is to...
about 1 month ago • 3 min read
In security and access control, authentication and authorization mean two distinct but related things. Authentication verifies the identity of a user or system. Authorization determines what actions an authenticated user is allowed to perform in your system. API Gateway has built-in integration with Cognito, but it doesn’t provide any fine-grained authorization out-of-the-box. By default, a Cognito authorizer only checks if a user’s bearer token is valid and that the user belongs to the right...
about 2 months ago • 2 min read
Back in 2018, I shared [1] several ways to implement fan-out/fan-in with Lambda. A lot has changed since, so let’s explore the solution space in 2024. Remember, what’s “best” depends on your context. I will do my best to outline the trade-offs you should consider. Also, I will only consider AWS services in this post. But there is a wealth of OpenSource/3rd-party services that you can use too, such as Restate. If you’re not sure whether you need fan-out/fan-in or map-reduce, then you should my...
2 months ago • 5 min read
Many students and clients have asked me how to implement Map-Reduce workloads serverlessly. In most cases, they are actually asking about Fan-Out/Fan-In! At a glance, the two patterns look very similar and they are often used interchangeably in conversations. So in this post, let's compare them and see how they differ. Why? Because names matter ;-) Fan-Out/Fan-In Fan-Out and Fan-In are two patterns that are often used together to divide and conquer a large task by: Divide the task into...
3 months ago • 2 min read
If you’re using CDK, you should use L3 constructs to encapsulate common patterns and best practices in your architecture. The ability to create reusable, higher-level components is where CDK shines over other IaC tools such as SAM and Serverless Framework. However, as Matt Bonig pointed out [1], sharing these reusable L3 constructs across organizations is difficult. Because every organization has its own quirks and requirements. As a construct author, it’s impossible to predict all these...
3 months ago • 1 min read
There is often the sense that going serverless means going microservices and event-driven architectures, too. That's NOT TRUE! They are related but ultimately separate design choices. So much of software engineering is about making smart choices. Often, when I see teams struggle to adopt serverless, it's because they try to take on too many new ideas at once. A marathon, not a sprint I have seen many ambitious teams that want to modernise their application and go from on-premise monoliths to:...
4 months ago • 2 min read
Events and Commands are often used side-by-side in event-driven architectures. Knowing their differences is important so you can choose the right approach to handling them and choose the right technology stack. Event vs. Command An event is a notification that something has already happened. It's a fact, and it’s immutable. e.g. a customer placed an order. Events are not directed at anyone, and we don't care how many (if any) subscribers are listening. A command is a request to perform a...
4 months ago • 1 min read
A common challenge in building GenAI applications today is the slow performance of most LLMs (except ChatGPT 4-o and Groq). To minimize delays and enhance user experience, streaming the LLM response is a must. As such, we see a common pattern emerge in AppSync: The caller makes a GraphQL request to AppSync. AppSync invokes a Lambda resolver. The Lambda function queues up a task in SQS. The Lambda resolver returns so that AppSync can respond to the caller immediately. In the meantime, a...
5 months ago • 1 min read
