AWS API Gateway
AWS API Gateway
API Gateway β Integrations (High Level)
API Gateway acts as a proxy between clients and backends.
| Integration Type | Description |
|---|---|
| Lambda Proxy | Trigger AWS Lambda functions |
| AWS Service | Connect to AWS services (e.g., Kinesis, SQS) |
| HTTP/HTTP Proxy | Route requests to any HTTP endpoint |
| Mock | Return static responses (for testing) |
API Gateway β AWS Service Integration Example (Kinesis Data Streams)
Use API Gateway to push events directly into a Kinesis Data Stream:
π‘ Use Case:
Web app sends telemetry/events to API Gateway β API Gateway uses IAM role to PutRecord into Kinesis.
π οΈ Steps:
- Create Kinesis Data Stream
- Create API Method (POST)
- Integration Type: AWS Service
- AWS Service:
kinesis - Action:
PutRecord - Set mapping templates to build payload
- Assign IAM role with
kinesis:PutRecordpermission
π API Gateway β Endpoint Types
| Endpoint Type | Description |
|---|---|
| Edge-Optimized | Default, routed via CloudFront, best for global apps |
| Regional | Targets region-specific use cases |
| Private | Exposed only inside your VPC via VPC endpoint (Interface Endpoint) |
π API Gateway β Security Options
| Security Mechanism | Description |
|---|---|
| IAM Authorization | AWS SigV4 signed requests (useful for internal apps) |
| Cognito User Pools | Federated identity + JWT token validation |
| Lambda Authorizer | Custom token-based authorization logic |
| API Keys + Usage Plans | Simple auth + rate limiting |
AWS Step Functions
- A serverless orchestration service to coordinate Lambda, ECS, SQS, etc.
- Supports visual workflows, retries, error handling
- Use for:
- ETL pipelines
- Microservice coordination
- Approval workflows
β
Integration with 200+ AWS Services
β
Native support for SDK integrations
β
Express workflows for high-throughput, short-lived tasks
Amazon Cognito
Manages user authentication, authorization, and federation for web and mobile apps.
Cognito User Pools (CUP) β User Features
| Feature | Description |
|---|---|
| Sign-up/Sign-in | Built-in forms or APIs |
| MFA / Password Policies | Optional TOTP/SMS MFA |
| Email/SMS Verification | Built-in confirmation flows |
| Hosted UI | OAuth2-compliant login UI |
| Token Issuance | JWT tokens (id_token, access_token, refresh_token) |
Cognito User Pools β Integrations
| Integrates With | Use Case |
|---|---|
| API Gateway | Authenticate API requests with JWT |
| Lambda Triggers | Custom logic (pre-signup, post-authentication) |
| CloudFront | Control access to content |
| App Clients | Web, Android, iOS SDKs |
Cognito Identity Pools (Federated Identities)
- Provides temporary AWS credentials for users
- Works with:
- Cognito User Pools
- Social logins (Google, Facebook, etc.)
- SAML / OpenID Connect IdPs
β Assign fine-grained IAM roles per user/group
Cognito Identity Pools vs User Pools
| Feature | User Pools | Identity Pools |
|---|---|---|
| Purpose | User directory + auth | Temporary AWS credential provider |
| Tokens | JWT tokens | AWS STS credentials (IAM) |
| Federation | Social/SAML/OIDC (auth only) | Supports all for IAM access |
| Use Case | App login | Access to AWS resources |
Row-Level Security in DynamoDB
DynamoDB doesn't have built-in row-level ACLs, but you can implement Row-Level Security (RLS) using IAM policies with condition expressions.
Example: Allow users to access only their items
{
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "${aws:username}"
}
}
}
Requirements:
- Partition key (e.g.,
UserID) should match${aws:username} - API requests must be signed with the user's IAM identity
Summary Table
| Topic | Purpose |
|---|---|
| API Gateway Integrations | Trigger AWS services, proxy APIs |
| Kinesis via API Gateway | Push data directly into streams |
| API Gateway Endpoint Types | Edge, regional, or private APIs |
| API Gateway Security | IAM, Cognito, Lambda auth |
| Step Functions | Serverless orchestration engine |
| Cognito User Pools | User management & authentication |
| Cognito Identity Pools | IAM role-based AWS access |
| Row-Level Security in DynamoDB | Fine-grained access via IAM conditions |
Β