By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Lambda Authorizer Vs Cognito Authorizer

0

What are the pros and cons of using Lambda authorizers versus Cognito authorizers in API Gateway? Which option is more secure? We need to implement group-level and resource-based authorization.

In Detail: We need an authorizer for users with different roles like passengers, drivers, admins—assigned to three groups via Cognito user pool. This authorizer should control access to resources like APIs (Lambda & API Gateway) based on their group. Additionally, we need to restrict each group's users from accessing each other’s resources, which requires a more reliable authorization method beyond group-level controls. What would be the best approach for this?

2 Answers
4
Accepted Answer

Hi,

If you use Lambda authorizer, you will have to code the lambda handler yourself where you'll have to return an IAM policy to allow/deny the request. A dir net blueprint can be found here: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints/dotnet/src but you can use any supported languages for it.

With authorizers you are in full control.

For cognito you will have just to associate it to the api gw after you create an user pool. It provides certain features out of the box, but there are certain limitations (non able to add custom claims to access tokens, very rigid to update user pools after you create them).

So, there is compromise to make here:

  1. full flexibility required -> Lambda authorizer
  2. Cognito standard features ok -> Cognito Authorizer

Best

Didier

profile pictureAWS
EXPERT
answered 9 days ago
profile picture
EXPERT
reviewed 8 days ago
  • Thanks for the response :)

0

Are you running cognito or another authentication system which requires a custom authoriser or need to perform custom checks?

profile picture
EXPERT
answered 9 days ago
  • We need an authorizer for users with different roles like passengers, drivers, admins—assigned to three groups via Cognito user pool. This authorizer should control access to resources like APIs (Lambda & API Gateway) based on their group. Additionally, we need to restrict each group's users from accessing each other’s resources, which requires a more reliable authorization method beyond group-level controls. What would be the best approach for this?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions