Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer
|
In security and access control, authentication and authorization mean two distinct but related things. Authentication verifies the identity of a user or system. Authorization determines what actions an authenticated user is allowed to perform in your system. API Gateway has built-in integration with Cognito, but it doesn’t provide any fine-grained authorization out-of-the-box. By default, a Cognito authorizer only checks if a user’s bearer token is valid and that the user belongs to the right Cognito User Pool. Here are many ways you can implement a fine-grained authorization with API Gateway. Here are three that I have come across over the years:
Over the next few weeks, let’s look at these approaches in-depth and then compare them at the end. Today, let’s look at Lambda authorizer with Cognito groups. Model roles with Cognito groupsIn Cognito, you can use groups to model the different roles in your system, e.g.
Users can belong to more than one group at once, just as they can have multiple roles within a system. Cognito encodes the groups a user belongs to in the ID token. If you decode the ID token, you will see something like this: Here, we can see the user belongs to both the Lambda authorizerA Lambda authorizer can use this information to generate its policy document. As a reminder, a Lambda authorizer can return a policy document like this: So, we need to take the list of groups a user belongs to and turn them into a set of policy statements.
One approach is to keep a mapping in your code like this. In many systems, there are a small number of roles that supersede each other. That is, they are hierarchical, and a higher role has all the permissions of a lower role plus some.
In this case, we need to find the most permissive role that the user has. But what if the roles are more lateral? That is, a user’s permissions are derived from all its roles.
Well, that’s easy enough to accommodate. ConclusionThis is my preferred approach for simple use cases. It’s easy to follow and test and makes no API calls (i.e. no extra latency overhead). Furthermore, it does not require Cognito’s Advanced Security Features, which are charged at a much higher rate [2]. This makes it a very cost-efficient approach.
However, using a Lambda authorizer means you need to think about cold starts and their impact on user experience. Also, the roles and policies are static. Whilst it’s good enough for most simple use cases, it cannot (easily) support more advanced use cases. For example, if you need to allow users to create custom roles while maintaining the tenant boundary. Amazon Verified Permissions is a better fit for more advanced use cases. More on it later. Links |
Master Serverless
Join 17K readers and level up you AWS game with just 5 mins a week.
Modern applications rarely do just one thing at a time. An API request creates an order, and then another service needs to reserve stock, another to charge the customer, another to send an email, and so on. In a serverless or event-driven architecture, follow-up actions are usually triggered by messages (either events or commands). That gives us loose coupling, better scalability, and independent services. But it also introduces a reliability problem. “What happens when the database update...
If you use Claude Code a lot, you’ve probably run into usage limits, sometimes even in short coding sessions. But cost isn’t the only problem. In long-running sessions, the context window eventually fills up, and that can cause the agent to forget earlier decisions, lose important details, or come back from compaction with gaps in its working memory. Here are three tools worth checking out if you want to reduce token usage and make longer coding sessions possible. 1. CavemanThis is a Claude...
AI agents can now scan an entire open-source codebase for exploitable vulnerabilities in hours. Frontier models carry the complete library of known bug classes in their weights. So you can simply point an AI agent at a codebase and tell it to find zero-days. This isn't theoretical. Willy Tarreau, the HAProxy lead developer, reports that security bug reports have jumped from 2–3 per week to 5–10 per day. Greg Kroah-Hartman, the Linux kernel maintainer, described what happened: "Months ago, we...