Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer
|
In security and access control, authentication and authorization mean two distinct but related things. Authentication verifies the identity of a user or system. Authorization determines what actions an authenticated user is allowed to perform in your system. API Gateway has built-in integration with Cognito, but it doesn’t provide any fine-grained authorization out-of-the-box. By default, a Cognito authorizer only checks if a user’s bearer token is valid and that the user belongs to the right Cognito User Pool. Here are many ways you can implement a fine-grained authorization with API Gateway. Here are three that I have come across over the years:
Over the next few weeks, let’s look at these approaches in-depth and then compare them at the end. Today, let’s look at Lambda authorizer with Cognito groups. Model roles with Cognito groupsIn Cognito, you can use groups to model the different roles in your system, e.g.
Users can belong to more than one group at once, just as they can have multiple roles within a system. Cognito encodes the groups a user belongs to in the ID token. If you decode the ID token, you will see something like this: Here, we can see the user belongs to both the Lambda authorizerA Lambda authorizer can use this information to generate its policy document. As a reminder, a Lambda authorizer can return a policy document like this: So, we need to take the list of groups a user belongs to and turn them into a set of policy statements.
One approach is to keep a mapping in your code like this. In many systems, there are a small number of roles that supersede each other. That is, they are hierarchical, and a higher role has all the permissions of a lower role plus some.
In this case, we need to find the most permissive role that the user has. But what if the roles are more lateral? That is, a user’s permissions are derived from all its roles.
Well, that’s easy enough to accommodate. ConclusionThis is my preferred approach for simple use cases. It’s easy to follow and test and makes no API calls (i.e. no extra latency overhead). Furthermore, it does not require Cognito’s Advanced Security Features, which are charged at a much higher rate [2]. This makes it a very cost-efficient approach.
However, using a Lambda authorizer means you need to think about cold starts and their impact on user experience. Also, the roles and policies are static. Whilst it’s good enough for most simple use cases, it cannot (easily) support more advanced use cases. For example, if you need to allow users to create custom roles while maintaining the tenant boundary. Amazon Verified Permissions is a better fit for more advanced use cases. More on it later. Links |
Master Serverless
Join 16K readers and level up you AWS game with just 5 mins a week.
A common challenge when building APIs is supporting multiple live versions without letting the system turn into an unmaintainable mess. You need to keep older versions running for existing clients, roll out new versions safely, and avoid breaking changes that might take down production. And you need to do all that without duplicating too much infrastructure or introducing spaghetti logic inside your code. There’s no official pattern for versioning APIs in API Gateway + Lambda. API Gateway...
I recently shared six event versioning strategies for event-driven architectures [1]. In response to this, Marty Pitt reached out and showed me how Orbital [2] and Taxi [3] use semantic tags to eliminate schema coupling in event-driven architectures and simplify the schema management. It's a novel way to manage schema evolution, and I want to share what I learnt with you. Problems with Schema Coupling In an event-driven architecture, event consumers are typically coupled to the schema of the...
Last week, we looked at 6 ways to version event schemas [1] and found the best solution is to avoid breaking changes and minimise the need for versioning. But how exactly do you do that? How can you prevent accidental breaking changes from creeping in? You can detect and stop breaking changes: At runtime, when the events are ingested; During development, when schema changes are made; Or a combination of both! Here are three approaches you should consider. 1. Consumer-Driven Contracts In...