Guidance on securing REST api for third party access

Serverless Architectures
,
1

Hello, sorry if this question seems a bit noobish but I am looking for a solution to set up authorization for a specific use case.

In the application I am currently developing, normal users will use cognito user pools to access a GraphQL endpoint and the usual sign up/sign in/ forgot password functionalities will be required. No surprise there.

There are several other endpoints which will NOT be accessible to normal users, but only to external partners.
We do not need to store information such as emails, phone, … In a sense, our ‘users’ in this case are companies, which would use a single shared account. Knowing which partner pushed which information could be done via the accountId present in the http headers.
For this specific use case, I was thinking about simply using an aws_iam account with a very restricted set of policies to call our protected functions, along with a aws_iam authorizer.

Does this seem like a workable solution? Is there another authorizer solution which seem like a better fit for the second use case?

2

That’s how I’ve been doing it.
API’s that back out Web App use the cognito authorizer like so:

  getStuff:
    handler: app/get.handler
    events:
      - http:
          path: /stuff/{id}
          method: get
          cors: true
          authorizer:
            arn: ${self:custom.user-pool-arn}

And REST APi’s that I expose to our partners for automation integrations use IAM credentialss and the aws_iam authorizer like so:

  getOtherStuff:
    handler: api/get.handler
    events:
      - http:
          path: /restapi/v1/stuff/{id}
          method: get
          cors: true
          authorizer: aws_iam
          private: true

Hope it helps.