Im working on a node js api that I have divided into few small apis(microservices) that communicate with each other using request and response, and Im using angular for the front end, now I want to secure my apis using cognito and aws amplify, so im confused where should I place the aws amplify code in my project? should I put in the front end or should I have a separate node js api to handle the security? And if there is a better approach can you suggest it please, im new to Node and angular, im a java developer, so any help would be appreciated.
There are a few points to consider. You did not give details about how your services communicate, I'm assuming HTTP here.
Considering you want to protect your APIs, putting security in the frontend leaves your API vulnerable to anyone not using your frontend. It would thus make sense in general, to have a common gateway/security backend service, which guards your API services.
It could be something like
Frontend <-> Gateway <-> Microservices
instead of
Frontend <-> Microservices
This would at the same time give you the opportunity to add more complex orchestration of your service architecture at a later point, without adjusting the frontend.
Now, regarding authentication, passport.js is providing you with a really easy to use interface to add authentication to incoming requests. It supports a variety of authentication methods, including, but limited to OpenID connect (which in turn works with AWS / cognito).
Together with express.js you should be able to pull off a simple routing/security service with few lines of code, with options to extend it with more features/security stuff as needed (e.g. you might want to add session handling at some point, or more security related stuff like XSS protection and the like. There are middlewares for express which cover those topics).
[edit] Some more sidenotes regarding security. It might be worth looking at OWASP in general, and, as a more concrete point to start from, OWASP's ASVS project, which is providing you with a set of guidelines you might/should follow regarding application security when developing web applications. There is a ton of cheat sheets which provides guides/best practices for common topics like session handling, cookie handling, authentication and other security related topics.