Developing Serverless Solutions on AWS - Live Session Guide
This module covers securing serverless applications with proper authentication and authorization patterns using AWS services.
Who are you?
What can you do?
Three options for authorizing access to your APIs:
| Option | How It Works | Best For |
|---|---|---|
| JWT Authorizer | Validates tokens using OIDC standard. HTTP API: JWT authorizers. REST API: Cognito user pool authorizer. | Standard OIDC/OAuth2 flows, Cognito, Auth0, Okta |
| IAM Authorizer | Requires IAM credentials (SigV4 signing). Applies IAM policies to APIs. | Service-to-service, internal APIs, AWS SDK callers |
| Lambda Authorizer | Custom Lambda function performs authorization. Returns IAM policy. Supports bearer tokens, SAML, custom schemes. | Custom auth logic, legacy tokens, DB lookups, multi-source validation |
Fully managed identity service that handles sign-up, sign-in, and access control.
| Token | Purpose | Protection | Contains |
|---|---|---|---|
| ID Token | Authenticates users - proves identity | Signed | User claims (name, email, sub) |
| Access Token | Authorizes API calls - specifies scopes | Signed | Scopes, client_id, groups |
| Refresh Token | Obtains new ID/Access tokens without re-auth | Encrypted | Opaque - not readable by client |
Run these commands to demonstrate JWT auth end-to-end:
# Create User Pool aws cognito-idp create-user-pool --pool-name demo-auth-pool --region us-west-2 # Create App Client aws cognito-idp create-user-pool-client \ --user-pool-id <POOL_ID> \ --client-name demo-client \ --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH # Create test user aws cognito-idp admin-create-user --user-pool-id <POOL_ID> \ --username demo@example.com --temporary-password TempPass1! --message-action SUPPRESS
TOKEN=$(aws cognito-idp initiate-auth \ --client-id <CLIENT_ID> \ --auth-flow USER_PASSWORD_AUTH \ --auth-parameters USERNAME=demo@example.com,PASSWORD=DemoPass123 \ --query 'AuthenticationResult.IdToken' --output text) echo $TOKEN | cut -d'.' -f2 | base64 -d 2>/dev/null | python -m json.tool
# WITHOUT token - expect 401
curl https://<API_ID>.execute-api.us-west-2.amazonaws.com/protected
# {"message":"Unauthorized"}
# WITH valid token - expect 200
curl -H "Authorization: Bearer $TOKEN" \
https://<API_ID>.execute-api.us-west-2.amazonaws.com/protected
# {"message":"Hello from protected API!", "user":"demo@example.com"}
python jwt_authorizer_demo.py # Creates everything + runs tests python jwt_authorizer_cleanup.py # Deletes all resources
Developing Serverless Solutions on AWS - Module 3 | Live Session Guide
Last updated: June 2026