AWS Cognito and API gateway using Lambda authorizer

1
votes

I am trying to create APIs using API gateway and Lambda functions.

Based on the user group ( not the Cognito user groups ), I want to provide access to separate DynamoDB tables.

The approach I am following is, I am creating a separate Cognito user pool for every group of users.

When the user logs in, he is authenticated with the appropriate user pool.

For calling the subsequent APIs, I am planning to make use of Lambda authorizer.

The user will pass the ID token in the HTTP header request and I want to validate this ID token.

Is this the right approach? Or if there is any better approach for implementing this workflow.

Can we make use of Cognito user groups and will it be a secure approach?

I want to strictly separate the tables of one user group from another.

I came across the below link, to verify the ID token.

https://github.com/awslabs/aws-support-tools/blob/master/Cognito/decode-verify-jwt/decode-verify-jwt.js

1
amazon-web-servicesaws-lambdaaws-api-gatewayamazon-cognito

1 Answers

1
votes

There are some proven architectures and tools provided by AWS to simplify the above usecase.

There is no need of multiple user pools for the above usecase. This can be handled with a single user pool itself.

A simple architecture can be UI->API gateway->Lambda->DynamoDB

Users in Cognito user pool can be added into groups and set with IAM policies. Then API Gateway can be configured for IAM or cognito authorizer. Each Lambda writen for accessing different DynamoDb tables can be authorised at API Layer.

There is no need for a custom authorizer in this case.

Use AWS Amplify for user authentication and all other communication. Amplify will handle the token passing part by itself with any extra code written. JWT tokens can be read/validated and logically used in the client UI layer as well as in server code (lambda) seemlessly in this approach. The same token is used in API gateway for authorization by default (without any code written).

Cognito user pool and identity pool are enterprise-grade AWS solutions and AWS Amplify compliments the high secure implementation of Sigv4, SRP, etc. protocols which are very tough and complicated to implement using custom code.