2.1.7 Application-Level Authorization

API Gateway Authorization Methods

So sánh

MethodUse CaseToken TypeCaching
IAM AuthorizerAWS services, internal APIsSigV4N/A
Lambda AuthorizerCustom logic, third-party tokensCustom/Bearer✅ (TTL)
Cognito AuthorizerUser authenticationJWT

IAM Authorizer

Client → Sign request with SigV4 → API Gateway → Verify IAM permissions
  • Dùng cho service-to-service communication
  • Cross-account: Resource policy + IAM policy

Lambda Authorizer

Client → API Gateway → Lambda Authorizer → Generate IAM Policy → Allow/Deny

Token-based (REQUEST type)

def handler(event, context):
    token = event['authorizationToken']  # Bearer token
    # Validate token with third-party IdP
    if is_valid(token):
        return generate_policy('user', 'Allow', event['methodArn'])
    return generate_policy('user', 'Deny', event['methodArn'])

def generate_policy(principal_id, effect, resource):
    return {
        'principalId': principal_id,
        'policyDocument': {
            'Version': '2012-10-17',
            'Statement': [{
                'Action': 'execute-api:Invoke',
                'Effect': effect,
                'Resource': resource
            }]
        },
        'context': {
            'userId': '123',
            'role': 'admin'
        }
    }
  • Caching: TTL 0-3600s (default 300s)
  • Context values available trong $context.authorizer.key

Cognito Authorizer

Client → Get JWT from Cognito → API Gateway → Cognito Authorizer → Validate JWT
  • Simplest option khi dùng Cognito User Pools
  • Tự động validate JWT signature, expiration, issuer
  • Claims available trong $context.authorizer.claims

Exam Tip: IAM = SigV4, service-to-service. Lambda Authorizer = custom/third-party tokens. Cognito Authorizer = simplest cho Cognito users. Lambda Authorizer có caching → giảm latency.