Gateway Authorizer

Control and Authorize access to resources at the API Gateway


gateway-authorizer

Context

Functions exposed as API endpoints are public by default and accessible over the public internet. Obviously we need a way to limit access to authorized agents.

Solution

Create a Lambda function and attach as an Authorizer to the API Gateway endpoints. On receiving a request to an endpoint, the API Gateway calls the associated Authorizer function. Authorizer functions return an IAM Policy that is used to evaluate the validity of request. The API Gateway caches the policy for a configured time-to-live (TTL) period, so that the Authorizer is not invoked on every request.

Components

  • API Gateway
  • Authorizer Lambda Function

API Gateway

An API Gateway endpoint configured to call an Authorizer function. Authorizer functions can be associated with many endpoints.

Authorizer Lambda Function

An Authorizer function is simply a Lambda that returns an IAM Policy. An Authorizer can implement any logic capable of expression in a Lambda function, although latency is a constraint.

Notes

API Gateway can generate an API Key that can be used to identify a caller and manage request limits. An API Key can provide high-level controls to endpoint actions, but more granular permissions are often required. Combine API Keys with an Authorizer to authorize at a resource level. For example, a key controls access to the endpoint GET /users/{id} and authorizer controls access to the specific user identified by the id.

The default TTL for an authorizer policy is 300 seconds, and the maximum is 3600 seconds (1 hour).

Cost Profile

ServiceCharge
API GatewayRequest
API GatewayData Transfer
LambdaRequest
Lambda(Compute Time x Memory)
CloudWatchLog Data Ingestion

Related