AWS API Gateway: API available for authenticated and guest users only

Question

I'm quite new to AWS and I try to understand some basic concepts. In my Android app, I use:

Cognito User Pool and Identity Pool to allow my users to register and sign in, but also to use the app as guest users
API Gateway and AWS Lambda to create webservices that the app can call

My use case is very simple: I want some of the APIs I created in API Gateway to be available for my authenticated users and my guest users, and the other APIs available for my authenticated users only.

For the APIs available for my authenticated users only, I was thinking putting the users in a group of users (thanks to CognitoIdentityServiceProvider.adminAddUserToGroup()), that can have a common role with an IAM strategy attached to it, to allow them to access those APIs. I think it makes sense since I'll have different types of users, so I'll use a group for each type.

But for the APIs available for my authenticated users and my guest users, I'm note quite sure of what I'm supposed to do. Should the APIs be public, so they can be called by anyone including my guest users, or is it possible to make them only available for my authenticated users and my guest users, but without being public? What are the good practices and how can I achieve them?

Thanks for your help.

score 3 · Answer 1 · answered Jul 31 '19 at 21:12

You should use "API Gateway Lambda Authorizers" for this. You configure the authorizer per method. So, only the endpoints reserved for authenticated users should have one set.

How do they work?

Every time a request hits an endpoint with an Authorizer configured, API Gateway will trigger it with the request information. The authorizer then checks if the request have the proper credentials. If it does, then an IAM policy is returned. The method execution call (another Lambda function for example) will consume this policy. Otherwise, the authorizer will return an error status code, say a 403 Access Denied.

In your case, since you are using Cognito, you can use a Cognito User Pool Authorizer. You can create it using Cognito's SDK or AWS cli. After you configure it the only thing you have to do is append the id or access token provided by Cognito after a user authenticates. It's usually served inside the Authorization header.

I hope it helps.

Thanks for your help. I finally went with the solution I just posted. — matteoh, Aug 02 '19 at 10:49
Ah, because I don't use any authorizer, so that's why I posted my answer. But thanks anyway, it can be useful for another situation. — matteoh, Aug 02 '19 at 14:00

score 3 · Accepted Answer · answered Aug 02 '19 at 10:48

Here is how I did, using the console:

In API Gateway, click on the resource, then the method (GET, POST...)
Click on Method Request
For Authorization, choose AWS_IAM
In Cognito, choose Manage Identity Pools
Create (or edit) the identity pool you use with your Cognito User Pool
In the Unauthenticated identities block, check Enable access to unauthenticated identities
On the same page (at least if you edit the identity pool), you should also see the Authenticated role and the Unauthenticated role
Go to IAM, and in Roles, find those two roles
For each role, click on it, and in the Permissions tab, click on the policy attached to that role to view it (with the little arrow on the left)
Click on Edit policy, then the JSON tab, then add the following block (you can find the ARN by going to API Gateway, click on your API, click on your resource, click on your method: you'll find the ARN in the Method request block):

{
    "Effect": "Allow",
    "Action": [
        "execute-api:Invoke"
    ],
    "Resource": "<the_arn_of_your_resource_api>"
}

Click on Review policy, then Save changes

How do you call AWS APIGW Endpoint? – Shubho Shaha Oct 17 '22 at 20:27 — Shubho Shaha, Oct 17 '22 at 20:27

AWS API Gateway: API available for authenticated and guest users only

2 Answers2