DEVELOPyo

[ API Gateway ]

- AWS Lambda + API Gateway : No infrastructure to manage

- Support for the WebSocket Protocol

- Handle API versioning

- Handle different environments (dev/test/oper)

- Handle security (Authentication and Authorization)

- Create API keys, handle request throttling

- Swagger / Open API import to quickly define APIs 

- Transform and validate requests and responses

- Generate SDK and API specifications

- Cache API responses

[ API Gateway - Integrations High Level ]

1. Lambda Function

  - Invoke Lambda function

  - Easy way to expose REST API backed by AWS Lambda

2. HTTP

  - Expose HTTP endpoints in the backend

  eg. internal HTTP API on premise, ALB(Application Load Balancer)...

  Why? Add rate limiting, caching, user authentications, API Keys, etc...

3. AWS Service

  - Expose any AWS API through the API Gateway?

  eg. start an AWS Step Function workflow, post a message to SQS

  - Why? Add authentication, deploy publicly, rate control..

[ API Gateway - Endpoint Types ]

1. Edge-Optimized(default) : For global clients

  - Requests are routed through the CloudFront Edge locations (improves latency)

  - The API Gateway still lives in only one region

2. Regional :

  - For clients within the same region

  - Cloud manually combine with CloudFront (more control over the caching strategies and the distribution)

3. Private :

  - Can only be accessed from your VPC using an interface VPC endpoint (ENI)

  - Use a resource policy to define access

[ API Gateway - Hands on ]

1) API Lambda function 작성(언어별 코딩 지원)

2) Gate way 에서 API 종류 선택

3) context path 입력

4) deploy

[ API Gateway - Security ]

[ IAM Permissions ]

- Create an IAM policy authorization and attach to User/Role

- API Gateway verifies IAM permissions passed by the calling application

- Good to provide access within your own infrastructure

- Leverages "Sig v4" capability where IAM credential are in headers

- Great for users / roles already within your AWS account

- Handle authentication + authorization

- Leverage Sig v4

[ Lambda Authorizer (formerly Custom Authorizers) ] 

- Uses AWS Lambda to validate the token in header being passed

- Option to cache result of authentication

- Helps to use OAuth/SAML/3rd party type of authentication

- Lambda must return an IAM policy for the user

- Great for 3rd party tokens

- very flexible in terms of what IAM policy is returned

- Handle Authentication + Authorization

- Pay per Lambda invocation

[ Cognito User Pools ]

- Cognito fully manages user lifecycle

- API gateway verifies identity automatically from AWS Cognito

- No custom implementation required

- Cognito only helps with authentication, not authorization

- You manage your own user pool (can be backed by Facebook, Google login etc..)

- No need to write any custom code

- Must implement authorization in the backend

※ Authentication(인증) vs Authorization(인가)

Authentication(인증) : 사용자를 구분 및 확인 check who he is

Authorization(인가) : 사용자가 허가된 작업을 요청하는지 확인 check if he can access

cognito 관련 글