Anybody can hit that URL & get a response. If you don’t want that, there are several ways to secure an API endpoint such that API Gateway won’t invoke the API unless the caller authenticates itself. One way to secure APIs is by using Amazon Cognito. Let’s see how to set this up for an app that intends to call a secure API.
We’ll begin by creating a Cognito user pool:
We’ll step through settings so we can customize them:
We don’t require any attributes since this pool will only be used by apps programmatically:
No need to allow users to sign themselves up:
No need to verify any attributes. We don’t intend to send any SMSes either:
Add an app client & create the pool:
Provide a domain name so we can fetch the tokens:
Add a resource server:
Enable the Cognito identity provider & the “client credentials” OAuth flow for the app:
Now let’s use this pool to secure the API. Back in the API Gateway console, create a new authorizer of type Cognito:
Now go into the Method Request of the method you wish to secure & change its Authorization from NONE to our authorizer:
Harish KM is a Cloud Evangelist and a Full Stack Engineer at QloudX. Harish is very passionate about cloud native solutions and using the best tools for projects. This means that he is an expert in a multitude of application languages and is up to date with all the new offerings and services from cloud providers, especially AWS.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.