AWS recently announced that Amazon API Gateway requests can now be authorized with Amazon Verified Permissions. With this feature, HTTP requests containing tokens issued by Amazon Cognito can be used to perform authorization decisions against API resources.
Amazon Verified Permissions is a runtime authorization engine. Launched in June 2023, the service allows its users to build fine-grained authorization models for their resources and evaluate access requests to those in real-time. Authorization models in Amazon Verified Permissions are expressed as schemas and identify the types of principals, resources and actions for a given application’s context.
Once a schema is defined, users of the service can then create policies permitting or denying access to resources based on the principal’s role and/or associated attributes. With a schema and policies available, authorization requests can then be made to one of Amazon Verified Permissions’ IsAuthorized endpoints via an AWS SDK or a plain HTTP request. This returns the outcome of the check, the policies enforced and any errors encountered during the evaluation. The per-request authorization of Amazon Verified Permissions bears similarities to Amazon API Gateway’s existing access control mechanism, and the new feature offers users an easy means of enhancing it.
To leverage Amazon Verified Permissions with Amazon API Gateway, users will need a Lambda Authorizer. The Lambda Authorizer extracts the fields required for the authorization call to Amazon Verified Permissions, invokes the decision endpoint and translates the response to align with the format for Amazon API Gateway. Part of the newly released feature includes an AWS CloudFormation template with a sample Lambda Authorizer for this purpose.
For the Lambda Authorizer to work successfully, the expected principals, actions and resources of Amazon API Gateway requests need to be mapped to schemas and policies in Amazon Verified Permissions. Part of the new feature, via the Quick Start Guide, allows Cognito User Pool entities to be imported as principals in the schema and maps API Gateway resources to actions. With this complete, policies can then be set up against which to enforce access controls. At the time of the requests to the API, calling clients only need to include the access or identity token from a signed-in Amazon Cognito user to validate access to the resources.
A key drawback of integrating Amazon Verified Permissions with Amazon API Gateway is the associated cost. Amazon Verified Permissions charges roughly $150 per million requests while Amazon API Gateway charges $1 per million requests for its simpler HTTP option or $3.50 per million requests for the more expensive REST option. Reflecting on the announcement on LinkedIn, Yan Cui, Serverless Advocate at Lumigo, opined:
It's a very powerful service and one that I would love to use. However, its current pricing makes it prohibitive except for the most business-critical, most predictable, and low-throughput environments.
Alternative approaches to applying fine-grained access controls on HTTP requests with Amazon Cognito tokens include OpenFGA or Permit.io’s Policy Decision Point. While the aforementioned solutions could provide more cost-effective options, they do not offer one-click integrations with Amazon Cognito or Amazon API Gateway to simplify the creation of authorization models.
Finally, Amazon Verified Permissions is available in all commercial AWS regions, and more details about its integration with AWS API Gateway and Amazon Cognito can be found on the user guide.