AWS API gateway authorizer: Cognito + IP Whitelisting

Question

Lets say I have an Admin API where I want to use Cognito to authenticate the user is in a specific group + from a whitelisted IP, how should I do that?

Am I right to say:

I cannot use a Cognito authorizer since it only checks if the user is in a userpool and nothing more
If I need to write a custom authorizer, I will need to follow https://aws.amazon.com/blogs/compute/using-enhanced-request-authorizers-in-amazon-api-gateway/ correct? I cannot use the IAM way to do IP whitelisting https://lobster1234.github.io/2018/04/14/amazon-api-gateway-ip-whitelisting/

Ashan Ashan · Accepted Answer · 2018-08-26T11:12:35

Yes. For your use case, you need to use a Custom Authorizer which does the following,

Validation of Cognito Token
Verify whether the Cognito User belongs to a particular group (Or use Cognito UserPool Groups)
Dynamically generate API Gateway Policy granting the authorized endpoints.
Check the whitelisted IPs (Need to allow Enhanced Request Headers to the Custom Authorizer to read the requester's IP). If there are only a few users who added manually and infrequently, along with their IP addresses, you can consider the Amazon API Gateway IP Whitelisting with a Resource Policy.

AWS API gateway authorizer: Cognito + IP Whitelisting

1 Answers