Authorization: IAM, Lambda Authorizers, and Cognito
Secure API endpoints with IAM SigV4 signatures, custom Lambda authorizers, or Amazon Cognito User Pool authorizers.
Why API Authorization Matters
Without authorisation controls, any internet client could call your API Gateway endpoints and access or modify data. API Gateway provides three native authorisation mechanisms: IAM (SigV4), Lambda Authorisers, and Amazon Cognito User Pool Authorisers. Each mechanism serves different use cases: IAM for AWS service-to-service calls, Lambda authorisers for custom token or request-based auth, and Cognito for web/mobile user authentication.
IAM Authorization with SigV4
IAM authorisation requires callers to sign requests using AWS Signature Version 4 (SigV4). The caller must have AWS credentials (access key + secret key or temporary credentials from STS) and the IAM policy must allow execute-api:Invoke on the API's ARN. This is ideal for machine-to-machine (server-to-server) calls within AWS: Lambda calling another API, EC2 calling an internal API, or cross-account service access. Browser clients cannot easily use SigV4.
# IAM policy to allow invoking a specific API endpoint
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Action': 'execute-api:Invoke',
'Resource': 'arn:aws:execute-api:us-east-1:123456789012:abc123/prod/GET/orders'
}]
}All lessons in this course
- REST API vs HTTP API vs WebSocket API
- Integrations: Lambda, HTTP, and Mock
- Authorization: IAM, Lambda Authorizers, and Cognito
- Throttling, Caching, and Usage Plans