1 00:00:00,000 --> 00:00:01,848 So here comes the least fun part 2 00:00:01,848 --> 00:00:03,949 with API Gateway, which is around security, 3 00:00:03,949 --> 00:00:05,969 but the exam really needs you to know all 4 00:00:05,969 --> 00:00:08,849 the security aspects of API Gateway, so here it is. 5 00:00:08,849 --> 00:00:11,336 There are three aspects, there is IAM Permissions, 6 00:00:11,336 --> 00:00:14,187 Lambda authorizers, and there is Cognito user pool. 7 00:00:14,187 --> 00:00:15,749 We're going to be see them one-by-one. 8 00:00:15,749 --> 00:00:17,601 The first one is IAM permissions, 9 00:00:17,601 --> 00:00:20,278 so basically, your IAM will be AWS, 10 00:00:20,278 --> 00:00:22,326 and so if you want to give one of your 11 00:00:22,326 --> 00:00:25,621 user, one of your role access to your API 12 00:00:25,621 --> 00:00:28,389 that makes sense to attach an IAM policy 13 00:00:28,389 --> 00:00:29,678 to your user and your role, 14 00:00:29,678 --> 00:00:31,929 and then what happens is that the API Gateway 15 00:00:31,929 --> 00:00:33,798 will verify the IAM informations when 16 00:00:33,798 --> 00:00:36,597 you call your rest API, and it's really good 17 00:00:36,597 --> 00:00:38,950 if you wanna provide API access 18 00:00:38,950 --> 00:00:41,579 within your own infrastructure. 19 00:00:41,579 --> 00:00:43,676 It's a really good way of doing things. 20 00:00:43,676 --> 00:00:47,338 The magic is called Sig v4, for signature v4, 21 00:00:47,338 --> 00:00:49,669 and so the IAM credentials, it's a bit complicated, 22 00:00:49,669 --> 00:00:51,246 but they are in one header, 23 00:00:51,246 --> 00:00:53,777 and the header is passed onto the API Gateway. 24 00:00:53,777 --> 00:00:56,636 So we have our client, it's calling API Gateway 25 00:00:56,636 --> 00:01:00,647 with Sig v4, and then API Gateway calls IAM 26 00:01:00,647 --> 00:01:02,906 verifies the policies, makes sure it all checks out, 27 00:01:02,906 --> 00:01:05,035 and then if it's happy, goes to the back end. 28 00:01:05,035 --> 00:01:06,704 So if we talk about the advantages, 29 00:01:06,704 --> 00:01:09,663 there's no added cost to this solution, 30 00:01:09,663 --> 00:01:12,412 and any time you see Sig v4 in the exam, 31 00:01:12,412 --> 00:01:15,305 think IAM permissions for API Gateway. 32 00:01:15,305 --> 00:01:17,414 It's a pretty easy solution, but if you 33 00:01:17,414 --> 00:01:20,715 give access to users outside of your AWS 34 00:01:20,715 --> 00:01:23,931 then you can't use IAM for missions, obviously. 35 00:01:23,931 --> 00:01:25,854 The second thing that is probably the most common 36 00:01:25,854 --> 00:01:28,014 you're gonna see out there, is Lambda authorizer, 37 00:01:28,014 --> 00:01:30,654 and it used to be known as Custom Authorizers, 38 00:01:30,654 --> 00:01:32,537 so if you see in the exam Custom Authorizers, 39 00:01:32,537 --> 00:01:35,207 think Lambda authorizer. 40 00:01:35,207 --> 00:01:37,890 As the name indicates, it uses Amazon Lambda 41 00:01:37,890 --> 00:01:40,330 to validate the token that is being passed 42 00:01:40,330 --> 00:01:42,181 in the header of your request. 43 00:01:42,181 --> 00:01:44,650 And you can cache the result of your authentication, 44 00:01:44,650 --> 00:01:46,780 so you don't need to call your Authorizer Lambda 45 00:01:46,780 --> 00:01:49,341 every time a request comes in, just once, 46 00:01:49,341 --> 00:01:52,322 and then you can cache your result for say, whenever. 47 00:01:52,322 --> 00:01:55,349 It's used when you have some kind of third party 48 00:01:55,349 --> 00:01:58,709 type authentication, OAuth, SAML, etc. 49 00:01:58,709 --> 00:02:01,133 So any time you need to evaluate the credentials 50 00:02:01,133 --> 00:02:03,623 given by a third party, Lambda authorizer 51 00:02:03,623 --> 00:02:06,203 is a great candidate for this. 52 00:02:06,203 --> 00:02:08,791 And the Lambda, as a result of your authorization 53 00:02:08,791 --> 00:02:11,293 must return an IAM Policy for the user, 54 00:02:11,293 --> 00:02:13,573 and that IAM Policy will define whether or not 55 00:02:13,573 --> 00:02:15,691 the user can call the API. 56 00:02:15,691 --> 00:02:18,293 So, fairly easy, now our client calls a rest API 57 00:02:18,293 --> 00:02:20,400 with a token, a third party token, 58 00:02:20,400 --> 00:02:23,760 and our API Gateway will call the Lambda authorizer, 59 00:02:23,760 --> 00:02:25,911 passing the token to the Lambda authorizer, 60 00:02:25,911 --> 00:02:28,569 and the Lambda will return an IAM Policy, 61 00:02:28,569 --> 00:02:29,941 and if everything checks out, 62 00:02:29,941 --> 00:02:33,670 then the API Gateway talks to the back end and we're good. 63 00:02:33,670 --> 00:02:37,272 Now we have a third kind of users, 64 00:02:37,272 --> 00:02:39,912 and this is the user pools for Cognito, 65 00:02:39,912 --> 00:02:41,078 now there's a whole section on Cognito, 66 00:02:41,078 --> 00:02:43,478 so don't get afraid too much right now, 67 00:02:43,478 --> 00:02:45,660 let's just assume we know what user pools are, 68 00:02:45,660 --> 00:02:48,500 and so Cognito will manage the full user lifecycle, 69 00:02:48,500 --> 00:02:51,130 and the API Gateway will automatically verify 70 00:02:51,130 --> 00:02:53,940 the identity from AWS Cognito, 71 00:02:53,940 --> 00:02:55,292 and you don't need to implement any 72 00:02:55,292 --> 00:02:56,900 custom Lambda function, or anything. 73 00:02:56,900 --> 00:02:59,670 So it's all implemented for you, and free. 74 00:02:59,670 --> 00:03:01,714 But the only thing to know, is that Cognito 75 00:03:01,714 --> 00:03:05,172 only helps this time with authentication, not authorization. 76 00:03:05,172 --> 00:03:06,945 So Cognito just says, yes the user 77 00:03:06,945 --> 00:03:11,283 talking to you right now is indeed the right user. 78 00:03:11,283 --> 00:03:13,883 So the process is that your client calls 79 00:03:13,883 --> 00:03:15,963 the Cognito user pool to authenticate, 80 00:03:15,963 --> 00:03:18,003 and then the Cognito user pool gives back 81 00:03:18,003 --> 00:03:19,803 a token to the client. 82 00:03:19,803 --> 00:03:22,265 The client now calls our API Gateway, 83 00:03:22,265 --> 00:03:24,283 as a rest API and it passes on the token 84 00:03:24,283 --> 00:03:26,753 it just received from the Cognito user pool. 85 00:03:26,753 --> 00:03:29,233 The API Gateway will then make sure 86 00:03:29,233 --> 00:03:31,134 that the Cognito token is correct, 87 00:03:31,134 --> 00:03:33,843 by talking to Cognito directly. 88 00:03:33,843 --> 00:03:35,014 And then when it's happy, 89 00:03:35,014 --> 00:03:37,711 it says okay we can now talk to the back end. 90 00:03:37,711 --> 00:03:40,762 The back end must ensure that you are authorized 91 00:03:40,762 --> 00:03:43,665 to make the call, so this time it's a little bit different. 92 00:03:43,665 --> 00:03:45,465 So in this type of solution, 93 00:03:45,465 --> 00:03:47,305 you manage your own user pool so that this 94 00:03:47,305 --> 00:03:48,894 is going to be great when we see Cognito, 95 00:03:48,894 --> 00:03:51,313 because we can see how we can enable Facebook, 96 00:03:51,313 --> 00:03:53,953 or Google Authentication with that scheme. 97 00:03:53,953 --> 00:03:55,833 And that gives you the third kind of authentication 98 00:03:55,833 --> 00:03:58,076 for the API Gateway. 99 00:03:58,076 --> 00:03:59,543 So let's just summarize, and understand 100 00:03:59,543 --> 00:04:02,025 which scheme to use, and when. 101 00:04:02,025 --> 00:04:04,294 So the first one is going to be IAM, 102 00:04:04,294 --> 00:04:07,183 and IAM is for when you have users 103 00:04:07,183 --> 00:04:10,134 or rolls already within your AWS accounts. 104 00:04:10,134 --> 00:04:13,734 It's handling authentication, and authorization 105 00:04:13,734 --> 00:04:17,804 through IAM Policies, and it leverages Sig v4. 106 00:04:17,804 --> 00:04:19,494 If you use a custom authorizer, 107 00:04:19,494 --> 00:04:21,196 it's great when your third party tokens 108 00:04:21,196 --> 00:04:23,665 that you don't control, and you are very flexible, 109 00:04:23,665 --> 00:04:27,004 in terms of what IAM policy is going to be returned. 110 00:04:27,004 --> 00:04:29,476 You can handle authentication and authorization 111 00:04:29,476 --> 00:04:31,694 because you return an IAM policy, 112 00:04:31,694 --> 00:04:34,082 and you're going to pay per Lambda invocation 113 00:04:34,082 --> 00:04:36,404 but you can use caching to limit the number 114 00:04:36,404 --> 00:04:38,316 of calls you do to your Lambda function 115 00:04:38,316 --> 00:04:40,894 for authorizing, which if you have one million users 116 00:04:40,894 --> 00:04:42,195 then you'll have to call your Lambda function 117 00:04:42,195 --> 00:04:45,974 one million times every time the cache gets invalidated. 118 00:04:45,974 --> 00:04:48,333 Focusing on user pools, then you're going to manage 119 00:04:48,333 --> 00:04:50,914 your own user pool, and we'll see this in Cognito 120 00:04:50,914 --> 00:04:53,204 when we go to the section of Cognito, next section. 121 00:04:53,204 --> 00:04:56,494 You can be backed by Facebook login, Google login etc. 122 00:04:56,494 --> 00:04:58,584 So you don't need to write any custom code, 123 00:04:58,584 --> 00:05:01,487 and you must implement the authorization layer 124 00:05:01,487 --> 00:05:02,320 on the back end. 125 00:05:02,320 --> 00:05:05,385 So Cognito will just provide you an authentication pattern, 126 00:05:05,385 --> 00:05:07,322 not an authorization pattern. 127 00:05:07,322 --> 00:05:08,574 So I hope that helps, 128 00:05:08,574 --> 00:05:10,617 and I will see you in the next lecture.