Posted On: Apr 5, 2024

AWS has launched a feature for Amazon Cognito customers to reduce the time spent securing Amazon API Gateway APIs with fine-grained access control, from weeks to days. The feature leverages Amazon Verified Permissions to manage and evaluate granular security policies that reference user attributes and groups. With a few clicks, you can enforce that only users in authorized Amazon Cognito groups have access to the application’s APIs. For example, say you are building a loan processing application, you can secure your application by restricting access to the “approve_loan” API to users in the “loan_officers” group. You can implement more fine-grained authorization, without making any code changes, by updating the underlying Cedar policy, so that only “loan_officers” above “Director” level can approve loans.

Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. Today, we launched a feature that streamlines implementing fine-grained authorization by combining Amazon Cognito, Amazon Verified Permissions, and Amazon API Gateway. It automatically generates an authorization model based on your APIs and policies that allows only authorized Amazon Cognito groups access to your APIs. Additionally, it deploys an AWS Lambda authorizer which you attach to the APIs you want to secure. Once the authorizer is attached, all API requests are authorized by Verified Permissions.

To get started, visit the Verified Permissions console, and create a policy store by selecting “Setup with API Gateway and Cognito”. Learn more by watching a quick overview and demo video. For more information visit Verified Permissions product page.