How to deny access to an endpoint on API Gateway using Cognito

1
votes

Is it possible to make user specific permissions with Cognito by using 'Deny' policies and attaching them to a role with an identity pool?

I have an API where I want to restrict the access to some endpoints for specific users in my user pool. I created the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:REGION:*:API_ID/*/*/*"
            ]
        }
    ]
}

I then attached this policy to a Web Identity role, and assigned this role to a group in my user pool. I pass the Identity Token given from Cognito to the Cognito authorizer, and unfortunately, even users in this group can still access to endpoint.

Is there a way to make user specific permissions for an API using just the ID or Access token provided by Cognito? If not, then what do I have to do?

1
amazon-web-servicesjwtauthorizationaws-api-gatewayamazon-cognito

1 Answers

2
votes

Cognito Authorizer with API Gateway (that uses ID token), doesn't check the claims or IAM policies assigned to the user. If you are passing ID Token while making request to your API, API Gateway only checks if the ID Token is valid. For your usecase, you may enable IAM based authentication on your API or use Lambda authorizer. In Lambda authorizer, you can pass the Cognito token, decode it and based on group information, generate allow or deny policy for a particular request.