How to secure an endpoint that is accessed by unauthenticated users in a serverless application
We have an endpoint that needs to be queried for the pool Id for a given tenant before the user's login request can be sent. What is the best way to "secure" such an endpoint that is open for access by unauthenticated users?
We are using API gateway and lambda functions and serverless framework.
AWS Cognito Identity Pools have an option that may work for you. First, I'll quickly cover the differemt Cognito services, since it's something that confused me when I was first trying to understand Cognito.
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
- Who are you? (authentication)
- What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
You can think of Cognito User Pools as your application's user directory. At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc.
Cognito Identity Pools provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool.
Here's a handy illustration to describe what I've outlined above.
Cognito lets you support unauthenticated users in your Identity Pool (instructions here).
So, how does this apply to your question?
You can use Cognito to enable IAM authorization across your entire API, which allows you to leverage the power of IAM to control access to your API. When you enable unauthenticated user access in Cognito, guest visitors to your site will be assigned to the unauthenticated IAM user role. Users that log in to your site will be assigned to the authenticated IAM user role. You can attach IAM policies to these roles that define what each role has access to.
For example, you might want to restrict unauthenticated users to certain API endpoints. On the other hand, authenticated users might get access to invoke all API endpoints in your application.
- I want to install the "n" package and I get an error
- n <version> command does not activate specified version
- Change n install location
- How to install a specific version of Node on Ubuntu/Debian?
- Different node version for different projects, is there a way of telling node which version to use?
- Install Node.js to install n to install Node.js?
- How to select the latest node.js v6 version using n?
- n-install: ERROR: GNU Make not found, which is required for operation
- How to downgrade Node version with n
- how switch to previous version in n (Node version manager)?
- Automatically use the right version of Node for a package
- internal/modules/cjs/loader.js:905 -> throw err;
- Why doesn't "n" downgrade my node version on a Mac?
- Node version manager
- n failed to install/switch node in Linux?
- vue command not found on Mac
- How to uninstall n and all node versions installed by n
- Angular CLI on HTTPS - can't install CI as root
- n (node version manager): cannot create directory
- npm module n emits errors
- How to update npm permanently?
- Cannot change nodejs version using n
- upgrade nodejs to stable version
- How should I install and use multiple versions of Node on the same production machine?