By using AWS re:Post, you agree to the Terms of Use
/Protecting AWS API Gateway From 3rd Party Only/

Protecting AWS API Gateway From 3rd Party Only



I need to control access to my REST API Gateway in the following manner:

  • When called from my own web app (SPA hosted on S3/CloudFront at a specific Route53 domain) it should go through only after validating the calling user in terms of authentication and authorization through an OAuth2 JWT token.
  • When a 3rd party calls (any other domain/machine) the above should also happen, but only after validating that a specific API Token has been issued to the caller.

What technologies should I be using to achieve the above please?

1 Answers

API Gateway supports only a single authorization method per route. If need something which is more complex than what API Gateway supports (Cognito or IAM), you will need to use a Lambda authorizer. In the authorizer you can check the source (based on maybe some secret header that you pass from the client) and if it is not your client, you check for the other token.

answered 2 months ago
    1. So you mean I cannot use Cognito + API token to protect a single route?
    2. Is it actually safe to pass a fixed API token from an SPA client to the Gateway?
    1. You can use both Cognito and API keys, however, if you specify that API keys are required, they will be required for everyone.

    2. Not really, but it is not very different than passing an API key.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions