API Gateway Archives

Fine-grained access control in API Gateway with Cognito access token and scopes

In this post, we look at how you can implement fine-grained access control using Cognito access tokens and scopes. We will discuss the trade-offs of this approach and the cost implications of enabling Cognito’s Advanced Security Features (required for this approach to work).

Personally, I think this is too costly an approach and doesn’t offer enough upside in return.

Unless you’re using Advanced Security Features already, or your application has a high value per user (e.g. a B2B enterprise application), this approach may be difficult to justify in terms of return on investment.

Is it safe to use ID tokens with Cognito authorizers?

API Gateway, AWS, Cognito, Security

A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users.

But how much of that actually makes sense when you use Cognito authorizers with your API?

Are ID tokens inherently less secure?

What is the cost of using access tokens instead?

Ultimately, is it safe to use ID tokens, or should you switch to access tokens?

Fine-grained access control in API Gateway with Cognito groups & Lambda authorizer

API Gateway, AWS, Cognito, Security

Authentication and authorization are two distinct things.
API Gateway has built-in integration with Cognito, which handles authentication, but no fine-grained authorization.

There are many ways to implement a fine-grained authorization with API Gateway. In this new post, I will show you one of these ways and give you the pros & cons and when to use it.

This is a cost-efficient approach that leverages Cognito, but without needing its more expensive Advanced Security Features.

Here are four ways you can implement WebSockets using serverless

API Gateway, AppSync, AWS, IoT Core, Momento, Serverless, WebSocket

There are many ways you can implement WebSockets with serverless technologies nowadays.

In this post, let’s explore four options – API Gateway, AppSync, IoT Core and Momento Topics. We will look at how they work, their pricing model and compare them.

When to use API Gateway vs. Lambda Function URLs

API Gateway, AWS, Lambda, Serverless

“Lambdalith” is a monolithic approach to building serverless applications where a single Lambda function serves an entire API, instead of having one function per endpoint. It’s an increasingly popular approach and provides portability between Lambda and containers and lets you use familiar web frameworks.

Tools like the AWS Lambda Web Adapter have made this approach more accessible, and it also works well with Lambda Function URLs.

But don’t be too hasty to get rid of API Gateway just yet!

In this post, let’s look at the pros and cons of API Gateway vs. Lambda Function URLs, and let me explain why I still prefer API Gateway.

How I built an affiliate tracking system in a weekend with serverless

API Gateway, AppSync, AWS, DynamoDB, Lambda, Serverless

Having taught thousands of students to build serverless applications via my online courses and workshops, I felt it was time to kick-start an affiliate program to boost sales. Affiliates would receive 50% of the revenue and get a 15% discount code for their audience. It feels like a good deal but I would need a …

How I built an affiliate tracking system in a weekend with serverless Read More »

How to set up custom domain names for AppSync

API Gateway, AppSync, AWS, CloudFront, Programming, Serverless

I previously wrote about five reasons you should consider AppSync over API Gateway. One thing that API Gateway supports but you can’t do with AppSync out-of-the-box yet is custom domain names. Your shiny new AppSync API is available at XYZ.appsync-api.us-east-1.amazonaws.com/graphql, but you really want people to use your own domain instead because dev.example.com/graphql is much …

How to set up custom domain names for AppSync Read More »

How to choose the right API Gateway auth method

API Gateway, AWS, Programming, Security, Serverless

Update 21/06/2020: following lots of feedback and questions on Twitter, I have updated the post to include a few more options. Quite a few clients have asked me “Hey Yan, what API Gateway auth method should I use for this REST API?” so I thought I’d share my answer with everyone here. This is the …

How to choose the right API Gateway auth method Read More »

Hit the 6MB Lambda payload limit? Here’s what you can do.

API Gateway, AWS, Lambda, Programming, Serverless

AWS Lambda has a 6MB limit that applies both to request and response payloads. This can be problematic if you have an HTTP API that allows users to upload images and files to S3. One day, a customer might complain that he couldn’t upload pictures of his cat to your app. In your Lambda logs, …

Hit the 6MB Lambda payload limit? Here’s what you can do. Read More »

Check-list for going live with API Gateway and Lambda

API Gateway, AWS, Lambda, Programming, Serverless

Disclaimer: this is a long list, you don’t need to tick every box to go-live. Think of them as a ladder, the more critical a system the higher you should try and climb. Observability Enable detailed monitoring to get per-method metrics (e.g. latency for GET /index). Without this, CloudWatch only reports aggregated metrics for all …

Check-list for going live with API Gateway and Lambda Read More »