Securing your application and managing users is seldom high on the priority list for companies behind new and exciting applications. But, customers have grown to expect a seamless registration and login experience and not providing this can cause user friction and drop off. Now, a new tool from Amazon, called API Gateway, is removing the burden of coding support for this functionality yourself.
While this service offers multiple features, this article from AWS Activate on Medium focuses on the creation of robust and flexible security control for interfaces hosted on API Gateway. The two fundamental security concerns are authentication and authorization, which can both me handled by the AWS Identity and Access Management (IAM) service.
This feature allows users to exchange username and password entries for a set of IAM credentials. These IAM credentials are used to authenticate individual API requests before using the IAM policies associated with those credentials to grant the predefined authorization.
The article then covers authentication in more detail, with information on using Amazon Cognito, SAML, and other third party solutions for exchanging a user’s externally-authenticated ID for a set of IAM credentials. The author then explains method-level authorization for defining what operations a user is allowed to perform. Some code is provided, but this article acts more as a detailed explanation than a hands-on guide.