Reputation: 2820
AWS Gateway custom authorizer necessary when using AWS_IAM authorization in Method Request?
I'm using AWS Gateway as my web API with AWS Lambda as my serverless backend. Lambda functions are only invoked by my Gateway APIs. Through Lambda I call and execute operations on other AWS Services (RDS, SNS, etc.). I want only my clients to get access to my web APIs. To do so I setup all of my Gateway APIs with AWS_IAM authorization. An unauthenticated client have only policies that let him invoke e.g. the function for login/sign up a user. In comparison an authenticated client have policies that enables him to access more recourses.
The question now is: Because I only want my clients to get access to my Gateway APIs and to do it as secure as possible, is it necessary to create a custom authorizer which checks the validity of tokens?
Neither I did setup a cognito user pool, nor I did setup a external public provider (google, Facebook, openId, amazon, etc.). I'm working with custom developer authenticated identities. All users are saved in AWS RDS. When a user tries to login and gets correctly authenticated through his email and password a open id and a jwt token is returned to the client. This is done by invoking 'getOpenIdTokenForDeveloperIdentity'.
I found some recourses on the web where people created a custom authorizer, but they did always verify the validity of the token by a external provider (google, facebook, auth0, etc.). This member did wrote that you only need to have a external provider when you have "[...]some totally different auth logic[...]" https://stackoverflow.com/a/39407156/5181862. And I don't think this is the case here.
The clients that run the application are iOS and later Android devices, if this information is necessary.
Upvotes: 3
Views: 440
Answers (1)
Reputation: 7344
If all the APIs have AWS_IAM authorization, that is already pretty secure. AWS_IAM requires that the client have valid AWS credentials from the same account as the API (your account).
It sounds like you are using Cognito (talking about unauthenticated client policy), in which case your authorization model is secure if implemented correctly.
Upvotes: 2
Related Questions
- AWS API Gateway Authorizer using Cognito Identity Pool
- AWS API Gateway ignores auth policy returned from the Custom Authorizer Lambda Function
- Optional authorization for API Gateway
- AWS API Gateway: API available for authenticated and guest users only
- AWS Cognito and API gateway using Lambda authorizer
- AWS Custom Authorizer with request parameters
- AWS Cognito and API Gateway Authentication
- How to use Custom Authorizer on Api Gateway?
- AWS Custom Authorizer IAM Authentication
- Are custom authorizers necessary/only way to authorize against the AWS API Gateway