Module 3: Authentication, Authorization & Access Control

Developing Serverless Solutions on AWS - Live Session Guide

Module Overview

This module covers securing serverless applications with proper authentication and authorization patterns using AWS services.

Topics

1. Authentication vs Authorization

Authentication (AuthN)

Who are you?

  • Verifies you are who you say you are
  • Validates an identity against a credential store
  • Examples: username/password, MFA, biometrics, social login
  • Result: proof of identity (token, assertion)

Authorization (AuthZ)

What can you do?

  • Determines whether you are permitted to perform an action
  • Evaluates policies, scopes, roles
  • Examples: IAM policies, OAuth scopes, RBAC
  • Result: allow or deny decision

Identity Provider (IdP)

2. API Gateway Authorizers

Three options for authorizing access to your APIs:

Option How It Works Best For
JWT Authorizer Validates tokens using OIDC standard. HTTP API: JWT authorizers. REST API: Cognito user pool authorizer. Standard OIDC/OAuth2 flows, Cognito, Auth0, Okta
IAM Authorizer Requires IAM credentials (SigV4 signing). Applies IAM policies to APIs. Service-to-service, internal APIs, AWS SDK callers
Lambda Authorizer Custom Lambda function performs authorization. Returns IAM policy. Supports bearer tokens, SAML, custom schemes. Custom auth logic, legacy tokens, DB lookups, multi-source validation

2024-2025 Updates

3. Amazon Cognito

Fully managed identity service that handles sign-up, sign-in, and access control.

User Pools (AuthN)

  • User directory - sign-up / sign-in
  • Social login (Google, Apple, Facebook, SAML)
  • MFA, password policies, account recovery
  • Issues JWTs (ID, Access, Refresh tokens)
  • Customizable hosted UI
  • Lambda triggers for custom workflows

Identity Pools / Federated Identities (AuthZ)

  • Exchanges tokens for temporary AWS credentials
  • Maps users to IAM roles (authenticated/unauthenticated)
  • Supports Cognito, social, SAML, OIDC providers
  • Fine-grained access with policy variables
  • Direct access to S3, DynamoDB, etc.
  • No need for backend proxy

4. JWT Token Types (OIDC Specification)

Token Purpose Protection Contains
ID Token Authenticates users - proves identity Signed User claims (name, email, sub)
Access Token Authorizes API calls - specifies scopes Signed Scopes, client_id, groups
Refresh Token Obtains new ID/Access tokens without re-auth Encrypted Opaque - not readable by client

5. Auth Flows

Flow A: REST API with Cognito User Pools (Slide 13)

Mobile App (Client) Cognito User Pools (Authenticate) API Gateway (Validate JWT) Lambda (Backend) 1. Auth 2. JWTs 3. Call API (Bearer token) 5. Invoke 4. Validate token

Flow B: Cognito Federated Identities (Slide 15)

Mobile App Cognito User Pools 1. Auth 2. JWTs Cognito Identity Pools 3-5. Exchange for creds AWS IAM 8. Check policy API Gateway 7. Call resource Lambda 9. Invoke DynamoDB 10. Access 6. Sign payload

6. Live Demo: JWT Authorizer in Action

Run these commands to demonstrate JWT auth end-to-end:

Step 1: Create Cognito User Pool + User

# Create User Pool
aws cognito-idp create-user-pool --pool-name demo-auth-pool --region us-west-2

# Create App Client
aws cognito-idp create-user-pool-client \
  --user-pool-id <POOL_ID> \
  --client-name demo-client \
  --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH

# Create test user
aws cognito-idp admin-create-user --user-pool-id <POOL_ID> \
  --username demo@example.com --temporary-password TempPass1! --message-action SUPPRESS

Step 2: Get JWT Token

TOKEN=$(aws cognito-idp initiate-auth \
  --client-id <CLIENT_ID> \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME=demo@example.com,PASSWORD=DemoPass123 \
  --query 'AuthenticationResult.IdToken' --output text)

echo $TOKEN | cut -d'.' -f2 | base64 -d 2>/dev/null | python -m json.tool

Step 3: Test API Gateway

# WITHOUT token - expect 401
curl https://<API_ID>.execute-api.us-west-2.amazonaws.com/protected
# {"message":"Unauthorized"}

# WITH valid token - expect 200
curl -H "Authorization: Bearer $TOKEN" \
  https://<API_ID>.execute-api.us-west-2.amazonaws.com/protected
# {"message":"Hello from protected API!", "user":"demo@example.com"}

Automated Demo

python jwt_authorizer_demo.py    # Creates everything + runs tests
python jwt_authorizer_cleanup.py # Deletes all resources

7. Module Summary & Key Points

Key Takeaways

  • AuthN = who you are (identity)
  • AuthZ = what you can do (permissions)
  • API Gateway has 3 authorizer types: JWT, IAM, Lambda
  • Cognito User Pools = sign-up/sign-in (issues JWTs)
  • Cognito Identity Pools = exchange tokens for temp AWS creds
  • JWT authorizers need: Issuer URL + Audience (Client ID)

When to Use What

  • JWT Authorizer - standard web/mobile auth
  • IAM Authorizer - service-to-service, AWS SDK
  • Lambda Authorizer - custom logic, legacy tokens
  • User Pools alone - just need sign-in + API access
  • User Pools + Identity Pools - need direct AWS service access (S3, DynamoDB)

8. What's New (2024-2025 Updates)

Developing Serverless Solutions on AWS - Module 3 | Live Session Guide

Last updated: June 2026