Serverless 2 Flashcards
What are the 3 types of security for the API Gateway?
IAM, Lambda Authorizer (Custom Authorizer), Cognito User Pools
Describe how IAM works for an API Gateway.
How are credentials passed when using IAM security on an API gateway?
You can provide users/services with access to your API gateway via IAM permissions/roles?
The credentials are passed in the sigv4 header.
Describe how a lambda authorizer can be used to secure an API gateway?
When is this type of authentication useful?
A lambda authorizer allows clients to pass an API token in the header. When the request reaches to API gateway, the API gateway will call too the lambda authorizer to validate the token. If valid, the Lambda authorizer will return IAM policy.
When using something like OAuth, SAML or a 3rd party type of authentication. It also provides an option to cache the result of the auth.
What are Cognito User Pools?
What is the authentication flow for cognito?
Cognito provides a full life cycle managment of users. It also provide authentication (but not authorization). Can be backed by facebook, google login etc
In a cognito flow, the user will first authenticate with cognito, then make a request to the API gateway with a token in the header. The API gateway will then validate the token by calling cognito before passing the request along to the orgin service
When would you use IAM to secure your API gateway?
When would you use lambda authorizer?
When would you use Cognito user pools?
When your users/clients are in your aws account and already have user permissions or application roles defined.
When you want to utilize existing authentication like Oauth, SAML or a 3rd party provider. Or when caching authentication is important.
When you want to manage your own user pool backed by fb login, google etc, and When you don’t want to write any custom code for authentication (but non authorization). This is a good choice for app users.
What is cognito federated identity?
It allows you to log in at some third party (including identity pools) and receive a token, then send that token to CFI, cognito federated identity will then call the identity provider to validate this token. it will then request a temporary token from the AWS security token service. This token can then be used to access the API gateway. This token has a predefined set of permissions
What is cognito sync and what is it’s usecase?
What do you need for cognito sync?
Cognito sync is used for syncinc app profile data between multiple user devices. The data can be synced when the device is offline and it will sync with the other devices when it’s back online.
You need cognito federated identity.
What is sam
A framework to manage your serverless applications and allows you to dynamically deploy your DB tables, api gateway and cognito user pools