Amazon API Gateway customers can easily secure APIs using Amazon Verified Permissions

Posted on: Jun 7, 2024

Amazon Verified Permissions expanded support for securing Amazon API Gateway APIs, with fine grained access controls when using an Open ID connect (OIDC) compliant identity provider. Developers can now control access based on user attributes and group memberships, without writing code. For example, say you are building a loan processing application. Using this feature, you can restrict access to the “approve_loan” API to only users in the “loan_officer” group.

Amazon Verified Permissions is a scalable fine-grained authorization service for the applications that you build. Verified Permissions launched a new feature to secure API Gateway REST APIs for customers using an OIDC compliant identity provider. The feature provides a wizard for connecting Verified Permissions with API Gateway and an identity provider, and defining permissions based on user groups. Verified Permissions automatically generates an authorization model and Cedar policies that allow only authorized user groups access to application’s APIs. The wizard deploys a Lambda authorizer that calls Verified Permissions to validate that the API request has a valid OIDC token and is authorized. Additionally, the lambda authorizer caches authorization decisions to reduce latency and cost.

To get started, visit the Verified Permissions console, and create a policy store by selecting “Import using API Gateway and Identity Provider”. We have partnered with leading identity providers, CyberArk, Okta, and Transmit Security, to test this feature and ensure a smooth experience. This feature is available in all regions where Verified permissions is available. For more information visit the product page.