level 100

Gateway Authorizer

Control and Authorize access to resources at the API Gateway

Context

Functions exposed as API endpoints are public by default and accessible over the public internet. Obviously we need a way to limit access to authorized agents.

Solution

Create a Lambda function and attach as an Authorizer to the API Gateway endpoints. On receiving a request to an endpoint, the API Gateway calls the associated Authorizer function. Authorizer functions return an IAM Policy that is used to evaluate the validity of request. The API Gateway caches the policy for a configured time-to-live (TTL) period, so that the Authorizer is not invoked on every request.

Components

  • API Gateway
  • Authorizer Lambda Function
API Gateway
An API Gateway endpoint configured to call an Authorizer function. Authorizer functions can be associated with many endpoints.
Authorizer Lambda Function
An Authorizer function is simply a Lambda that returns an IAM Policy. An Authorizer can implement any logic capable of expression in a Lambda function, although latency is a constraint.

Notes

API Gateway can generate an API Key that can be used to identify a caller and manage request limits. An API Key can provide high-level controls to endpoint actions, but more granular permissions are often required. Combine API Keys with an Authorizer to authorize at a resource level. For example, a key controls access to the endpoint GET /users/{id} and authorizer controls access to the specific user identified by the id.

The default TTL for an authorizer policy is 300 seconds, and the maximum is 3600 seconds (1 hour).

Cost Profile

Service Charge
API Gateway Request
API Gateway Data Transfer
Lambda Request
Lambda (Compute Time x Memory)
CloudWatch Log Data Ingestion

Related Patterns