Securing a serverless application using Cognito


Hi, I am working on an application with the following architecture : App current architecture

The end users (customers) will connect to the application using Cognito hosted UI and be redirected to the front end UI where they can perform actions through rest api end points at /api/, the backend validates and transforms their request into requests usable by the external application. The administrators connect the same interface but they have extra access to API endpoint located at /api/admin/.

Currently I am using Cognito authorizer on Api Gateway with a single user pool where users belong to either the group "user" where they only access the customer functions of the application or the group "admin" where they have access to everything.

I am using header based authentication (each request to Api gateway should have the Authorization : Bearer TOKEN header. I have the following issues and question.

  1. I can't differentiate between user groups to control access using the same user pool
  2. I don't want to have to include the authorization header on every request the browser makes, is there a way I could save the token in the cookies and use it in the authorizer on Api Gateway ? (Token source ?)
  3. Anyone can access the html from the administrators pages, although this isn't a security issue, I would prefer having the ability to redirect a user to home if he's not an admin or login URL is not logged in

PS: This is my first question/post on re:Post, please let me know if I made mistakes in my message.

Any response or feedback is highly appreciated, Thank you

1 Answer


  1. You could use custom scopes to let API Gateway do the fine grained authorization with the Cognito Authorizer. Alternatively, you can use a Lambda Authorizer and map the group membership to a policy document stored in DynamoDB as described in this article.
  2. You could use a httpOnly cookie with an accessToken inside.
  3. You can use Lambda@Edge to protect your CloudFront content from unauthenticated users.

Hope this helps.

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions