SEC 1: How do you control access to your Serverless API?

Use authentication and authorization mechanisms to prevent unauthorized access, and enforce quotas for public resources.

Resources

Use appropriate endpoint type and mechanisms to secure access to your API: API Gateway can have public and private endpoints and the level of mechanisms to provide secure access to each may differ. Consider public endpoints to serve consumers where they may not be part of your network perimeter. Consider private to serve consumers in your network perimeter where you may not want to expose publicly.
Scope access based on identity’s metadata: Authenticated users should be segregated into logical groups, roles, tiers or based on custom authentication token attributes (for example, SAML/JWT claims). Consider using users identity metadata to enable fine-grain control access to resources and actions.
Use authentication and authorization mechanisms: Integrate with an Identity Provider who can validate your API consumers identity (for example, SAML, JWT, etc.) and only authorize access to successfully authenticated consumers instead of API keys. This will help prevent unauthorized access to your workload from non-authenticated users.

Use appropriate endpoint type and mechanisms to secure access to your API

Determine your API consumer and choose an API endpoint type.

For providing public content, use Amazon API Gateway or AWS AppSync public endpoints.
For providing content with restricted access, use Amazon API Gateway with authorization to specific resources, methods, and actions you want to restrict. With AWS AppSync, restrict access to specific data types, data fields, queries, mutations, or subscriptions.
For providing restricted content to a specific Amazon Virtual Private Cloud (VPC), VPC Endpoint, a data center, or a specific AWS Account, use Amazon API Gateway private endpoints.

Implement security mechanisms appropriate to your API endpoint.

With Amazon API Gateway public and private endpoints, you can enable authorization using Amazon Cognito User Pools, Lambda authorizer, AWS IAM and Resource Policies. Use Resource Policies for restricting API consumers to a specific Amazon Virtual Private Cloud (VPC), VPC endpoint, source IP address/range, AWS Account or AWS IAM users.
With AWS AppSync public endpoints, you can enable authorization with Amazon Cognito User Pools, OpenID Connect compliant providers and AWS IAM.
For public content and unauthenticated access, both Amazon API Gateway and AWS AppSync provide API Key that can be used to track usage. Rate-based rules can be applied using AWS Web Application Firewall to prevent public API consumers from exceeding a configurable threshold of requests.
Using API Key for unauthenticated access with AWS AppSync
Using API Key for unauthenticated access with Amazon API Gateway
Using AWS WAF with Amazon API Gateway
Setting up API Keys with Amazon API Gateway

Scope access based on identity’s metadata

Review levels of access, identity metadata and segregate consumers into logical groups/tiers.

With JSON Web Tokens (JWT) or SAML, ensure you have the right level of information available within token claims to help you develop authorization logic. Use private claims along with a unique namespace for non-public information that can be shared with your application client.
Use private claims along with a unique namespace for non-public information that can be shared with your application client.
With Amazon Cognito, you can use custom attributes or Pre Token Generation Lambda Trigger feature to enrich JWT tokens.
Amazon Partner: Understanding JWT Public, Private and Reserved Claims
Customizing identity token claims with Amazon Cognito Lambda Triggers

Implement authorization logic based on authentication metadata.

For authorizing based on custom scopes, use Amazon Cognito to define a resource server with custom scopes. You can also provide differentiated access based on the custom scopes for different application clients.
For authorizing based on token claims, use Amazon API Gateway Lambda Authorize. With AWS AppSync, use GraphQL resolvers.
For AWS AppSync Resolvers, AWS Amplify can auto-generate authorization logic via GraphQL Transformers (directives). With GraphQL Transformers, you can generate fine-grained authorization logic by annotating your GraphQL schema to a specific data type, data field and a specific GraphQL operation you want to allow access, including JWT groups or custom claims.
Authorizing access based on custom scopes with Amazon API Gateway and Amazon Cognito
AWS Lambda Authorizer with Amazon API Gateway
Community Hero: The Complete Guide to Custom Authorizers with AWS Lambda and Amazon API Gateway
Authorization use cases with AWS AppSync
Autogenerating fine-grained authorization logic with AWS Amplify and AWS AppSync

Use authentication and authorization mechanisms

Evaluate authorization mechanisms.

For authorizing access to internal API consumers or other AWS managed services like AWS Lambda, you can use AWS IAM built-in authorization.
For web applications, JSON Web Tokens are generally accepted for authenticating consumers, and you can use either Amazon Cognito, OpenID Connect (OIDC) or Lambda Authorizes.
For custom authorization needs, you can use Amazon API Gateway Lambda authorizers where you require a higher degree of customization.
Community Hero: Picking the correct authorization mechanism in Amazon API Gateway.

Enforce authorization for non-public resources within your API.