Member-only story
AWS API Gateway Authorizer Patterns
Introduction
AWS API Gateway Authorizers are a powerful tool to secure API Gateway endpoints.
The configuration of Authorizers can be a bit overwhelming at first. There are many options which have an impact on the security, performance and programming model of your API Gateway.
This article is a collection of three patterns that I have identified from my experience with AWS API Gateway Authorizers, from discussions with peers and colleagues and from existing documentation online.
Please note that this is not a comprehensive guide to API Gateway Authorizers. It’s a collection of abstract concepts that can be used to reason about the different patterns:
Note that the naming of the patterns is not official. I made them up to make it easier to talk about them.
No-Authorizer Pattern
The first pattern consists of an API Gateway and integration Lambdas in the background.
There is no authorizer Lambda configured in the API Gateway. All requests to the API Gateway are authorized by default and forwarded to the backend Lambdas. The Lambdas are responsible for authorization directly.
In the diagram above, there is an exemplary “External User Service” that is queried by…
