API Gateway Archives

The pros and cons of Lambdalith

“Lambdalith” refers to deploying monolithic applications using AWS Lambda. This is typically associated with (but not limited to) building serverless APIs.

With a Lambdalith, a single Lambda function handles all the routes in an API. You can use Lambda Function URLs [1] or put the function behind a greedy path in API Gateway.

This contrasts with the “function per endpoint” approach, where a different Lambda function handles each API route.

Lambdaliths has been the source of intense debate in the serverless community. While I generally prefer the “function per endpoint” approach, I have adopted Lambdaliths where it makes sense.

In this post, let’s discuss the pros and cons of Lambdaliths and the nuances that are often overlooked.

How to invalidate Cognito-issued JWT tokens

API Gateway, AWS, Cognito, Lambda, Serverless

The ability to invalidate a user’s session with immediate effect is a common enterprise requirement.

However, this goes against how token-based authentication is designed to work. JWT tokens are stateless and are typically short-lived (for security reasons) but can be refreshed with refresh tokens.

So, is it possible to invalidate Cognito-issued JWT tokens?

The short answer is no.

The long answer is yes, you can achieve this effect with some work and some performance overhead.

How? Well, come in and find out!

Fine-grained access control in API Gateway with Cognito access token and scopes

API Gateway, AWS, Cognito, Security

In this post, we look at how you can implement fine-grained access control using Cognito access tokens and scopes. We will discuss the trade-offs of this approach and the cost implications of enabling Cognito’s Advanced Security Features (required for this approach to work).

Personally, I think this is too costly an approach and doesn’t offer enough upside in return.

Unless you’re using Advanced Security Features already, or your application has a high value per user (e.g. a B2B enterprise application), this approach may be difficult to justify in terms of return on investment.

Is it safe to use ID tokens with Cognito authorizers?

API Gateway, AWS, Cognito, Security

A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users.

But how much of that actually makes sense when you use Cognito authorizers with your API?

Are ID tokens inherently less secure?

What is the cost of using access tokens instead?

Ultimately, is it safe to use ID tokens, or should you switch to access tokens?

Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer

API Gateway, AWS, Cognito, Security

Authentication and authorization are two distinct things.
API Gateway has built-in integration with Cognito, which handles authentication, but no fine-grained authorization.

There are many ways to implement a fine-grained authorization with API Gateway. In this new post, I will show you one of these ways and give you the pros & cons and when to use it.

This is a cost-efficient approach that leverages Cognito, but without needing its more expensive Advanced Security Features.

How to implement WebSockets using serverless

API Gateway, AppSync, AWS, IoT Core, Momento, Serverless, WebSocket

There are many ways you can implement WebSockets with serverless technologies nowadays.

In this post, let’s explore five options – API Gateway, AppSync, AppSync Events, IoT Core and Momento Topics. We will look at how they work, their pricing model and compare them.

When to use API Gateway vs. Lambda Function URLs

API Gateway, AWS, Lambda, Serverless

“Lambdalith” is a monolithic approach to building serverless applications where a single Lambda function serves an entire API, instead of having one function per endpoint. It’s an increasingly popular approach and provides portability between Lambda and containers and lets you use familiar web frameworks.

Tools like the AWS Lambda Web Adapter have made this approach more accessible, and it also works well with Lambda Function URLs.

But don’t be too hasty to get rid of API Gateway just yet!

In this post, let’s look at the pros and cons of API Gateway vs. Lambda Function URLs, and let me explain why I still prefer API Gateway.

How I built an affiliate tracking system in a weekend with serverless

API Gateway, AppSync, AWS, DynamoDB, Lambda, Serverless

Having taught thousands of students to build serverless applications via my online courses and workshops, I felt it was time to kick-start an affiliate program to boost sales. Affiliates would receive 50% of the revenue and get a 15% discount code for their audience. It feels like a good deal but I would need a …

How I built an affiliate tracking system in a weekend with serverless Read More »

How to set up custom domain names for AppSync

API Gateway, AppSync, AWS, CloudFront, Programming, Serverless

I previously wrote about five reasons you should consider AppSync over API Gateway. One thing that API Gateway supports but you can’t do with AppSync out-of-the-box yet is custom domain names. Your shiny new AppSync API is available at XYZ.appsync-api.us-east-1.amazonaws.com/graphql, but you really want people to use your own domain instead because dev.example.com/graphql is much …

How to set up custom domain names for AppSync Read More »

How to choose the right API Gateway auth method

API Gateway, AWS, Programming, Security, Serverless

Update 21/06/2020: following lots of feedback and questions on Twitter, I have updated the post to include a few more options. Quite a few clients have asked me “Hey Yan, what API Gateway auth method should I use for this REST API?” so I thought I’d share my answer with everyone here. This is the …

How to choose the right API Gateway auth method Read More »