How to implement authorization based on user property from Cognito User Pool (or DynamoDB)?

Question

I am relatively new to AWS but read through tons of documentation and couldn't find what I need.

I am trying to implement authentication where users pay for subscription and based on whether they have paid they get access to S3 buckets and items.

I tried using API Gateway with a Cognito authorizer but I have no idea how to add the check if a user has paid (for example by looking it up in DynamoDB). Is there any way to add custom authorization logic to Cognito authorizer? If not, is it possible to still use Cognito User Pool with a custom authorizer? And most importantly, how would you implement the whole thing?

I am open to suggestions.

Answer 1

I found what I was looking for.

I added a custom user attribute subscribed. Then, created a lambda function which I used as a custom authorizer, using the blueprint for custom authorizer for Amazon Cognito User Pools. I modified the code so that I also extract the custom attribute subscribed (which is prefixed by custom:, so it becomes custom:subscribed) and check if it is set to true. I uploaded the blueprint to the lambda function and set it as an authorizer to the endpoints and methods I needed.

For updating the flag I used CognitoIdentityServiceProvider. adminUpdateUserAttributes which I call in a custom location in lambda after the user successfully pays (or remove subscription with cron jobs to check if it is valid).

Articles:

https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/ https://aws.amazon.com/blogs/compute/author/