AWS Archives

How to invalidate Cognito-issued JWT tokens

API Gateway, AWS, Cognito, Lambda, Serverless

The ability to invalidate a user’s session with immediate effect is a common enterprise requirement.

However, this goes against how token-based authentication is designed to work. JWT tokens are stateless and are typically short-lived (for security reasons) but can be refreshed with refresh tokens.

So, is it possible to invalidate Cognito-issued JWT tokens?

The short answer is no.

The long answer is yes, you can achieve this effect with some work and some performance overhead.

How? Well, come in and find out!

Biggest re:Invent 2024 serverless announcements

AWS, Serverless

So that’s it for this year’s re:Invent. Werner delivered his usual insightful keynote and shared some key lessons in dealing with complexity and warning signs to look out for. As Werner said, the number of moving parts is not a good measure of complexity on its own. And that’s something so many people get wrong …

Biggest re:Invent 2024 serverless announcements Read More »

Biggest pre:Invent 2024 serverless announcements

AWS, CloudFormation, Cognito, DynamoDB, Lambda, Serverless, Step Functions

DynamoDB cuts on-demand price by 50% Announcement DynamoDB has reduced on-demand pricing by 50% and global tables by up to 67%. Amazing! Lambda SnapStart is now available for Python and .Net Announcement Previously, SnapStart was only available for Java. It makes sense to add support for .Net. But why Python and not Node.js? I guess …

Biggest pre:Invent 2024 serverless announcements Read More »

Here is one of the most misunderstood aspects of AWS Lambda

AWS, Lambda, Serverless

One of the most misunderstood aspects of Lambda is how throttling applies to async invocations. Or rather, how it doesn’t!

The TL;DR is that you will never experience throttling when you invoke a function asynchronously.

It also means that despite SNS and EventBridge having longer retry periods than Lambda’s internal queue, these have no practical impact in the case of Lambda throttling.

Read the full post to understand why.

When to use Light Events vs. Rich Events in Event-Driven Architectures

AWS, Event-Driven Architecture, EventBridge

One under-appreciated aspect of designing an Event-Driven Architecture (EDA) is how much information you should include in your events.

Do you send light events or rich events?

Or perhaps you would send both, but in different circumstances?

In this post, let’s talk about the pros & cons of each and how they fit into my mental model of DDD and EDA.

EventBridge best practice: why you should wrap events in event envelopes

AWS, Event-Driven Architecture, EventBridge

This article is about best practices for building event-driven architectures on AWS, with a focus on wrapping events in custom envelopes when using EventBridge.

While EventBridge provides metadata by default, a custom envelope allows for a standardized, consistent structure across all of your events, making it easier to manage and evolve the system over time.

By providing your own metadata, you can gain better interoperability between different services, end-to-end observability, idempotency control and versioning.

Should “serverless” just mean “function-as-a-service”?

AWS, Serverless

Gregor Hohpe said something that has me mulling over for some time now. Essentially, he asked, “Should we narrow the definition of serverless to mean just function-as-a-service (FaaS)?” “Serviceful” For context, I’m firmly in the “serverless means serviceful” camp: a) Serverless is a mindset: To leverage managed services to deal with undifferentiated heavy lifting so …

Should “serverless” just mean “function-as-a-service”? Read More »

Fine-grained access control in API Gateway with Cognito access token and scopes

API Gateway, AWS, Cognito, Security

In this post, we look at how you can implement fine-grained access control using Cognito access tokens and scopes. We will discuss the trade-offs of this approach and the cost implications of enabling Cognito’s Advanced Security Features (required for this approach to work).

Personally, I think this is too costly an approach and doesn’t offer enough upside in return.

Unless you’re using Advanced Security Features already, or your application has a high value per user (e.g. a B2B enterprise application), this approach may be difficult to justify in terms of return on investment.

Is it safe to use ID tokens with Cognito authorizers?

API Gateway, AWS, Cognito, Security

A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users.

But how much of that actually makes sense when you use Cognito authorizers with your API?

Are ID tokens inherently less secure?

What is the cost of using access tokens instead?

Ultimately, is it safe to use ID tokens, or should you switch to access tokens?

Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer

API Gateway, AWS, Cognito, Security

Authentication and authorization are two distinct things.
API Gateway has built-in integration with Cognito, which handles authentication, but no fine-grained authorization.

There are many ways to implement a fine-grained authorization with API Gateway. In this new post, I will show you one of these ways and give you the pros & cons and when to use it.

This is a cost-efficient approach that leverages Cognito, but without needing its more expensive Advanced Security Features.