aws-cognito-apigateway-lambda - AWS Solutions Constructs
OverviewPattern Construct PropsPattern PropertiesDefault settingsArchitectureGithub

aws-cognito-apigateway-lambda

Stability:Stable
Reference Documentation: https://docs.aws.amazon.com/solutions/latest/constructs/
Language Package

Python Logo Python

aws_solutions_constructs.aws_cognito_apigateway_lambda

Typescript Logo Typescript

@aws-solutions-constructs/aws-cognito-apigateway-lambda

Java Logo Java

software.amazon.awsconstructs.services.cognitoapigatewaylambda

Overview

This AWS Solutions Construct implements an Amazon Cognito securing an Amazon API Gateway Lambda backed REST APIs pattern.

Here is a minimal deployable pattern definition:

Typescript
import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda';
import * as lambda from 'aws-cdk-lib/aws-lambda';

new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', {
  lambdaFunctionProps: {
    code: lambda.Code.fromAsset(`lambda`),
    runtime: lambda.Runtime.NODEJS_20_X,
    handler: 'index.handler'
  }
});
Python
from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda
from aws_cdk import (
    aws_lambda as _lambda,
    Stack
)
from constructs import Construct

CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda',
                            lambda_function_props=_lambda.FunctionProps(
                                code=_lambda.Code.from_asset('lambda'),
                                runtime=_lambda.Runtime.PYTHON_3_11,
                                handler='index.handler'
                            )
                            )
Java
import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*;

new CognitoToApiGatewayToLambda(this, "test-cognito-apigateway-lambda",
        new CognitoToApiGatewayToLambdaProps.Builder()
                .lambdaFunctionProps(new FunctionProps.Builder()
                        .runtime(Runtime.NODEJS_20_X)
                        .code(Code.fromAsset("lambda"))
                        .handler("index.handler")
                        .build())
                .build());

If you are defining resources and methods on your API (e.g. proxy = false), then you must call addAuthorizers() after the API is fully defined to ensure every method is protected. Here is an example:

Typescript
import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda';
import * as lambda from 'aws-cdk-lib/aws-lambda';

const construct = new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', {
    lambdaFunctionProps: {
        code: lambda.Code.fromAsset(`lambda`),
        runtime: lambda.Runtime.NODEJS_20_X,
        handler: 'index.handler'
    },
    apiGatewayProps: {
        proxy: false
    }
});

const resource = construct.apiGateway.root.addResource('foobar');
resource.addMethod('POST');

// Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.addAuthorizers();
Python
from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda
from aws_cdk import (
    aws_lambda as _lambda,
    aws_apigateway as api,
    Stack
)
from constructs import Construct
from typing import Any

# Overriding LambdaRestApiProps with type Any
gateway_props = dict[Any, Any]

construct = CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda',
                                        lambda_function_props=_lambda.FunctionProps(
                                            code=_lambda.Code.from_asset(
                                                'lambda'),
                                            runtime=_lambda.Runtime.PYTHON_3_11,
                                            handler='index.handler'
                                        ),
                                        api_gateway_props=gateway_props(
                                            proxy=False
                                        )
                                        )

resource = construct.api_gateway.root.add_resource('foobar')
resource.add_method('POST')

# Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.add_authorizers()
Java
import software.constructs.Construct;

import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

import software.amazon.awscdk.*;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awscdk.services.apigateway.IResource;
import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*;

// Overriding LambdaRestApiProps with type Any
Map<String, Optional<?>> gatewayProps = new HashMap<String, Optional<?>>();
gatewayProps.put("proxy", Optional.of(false));

final CognitoToApiGatewayToLambda construct = new CognitoToApiGatewayToLambda(this,
        "test-cognito-apigateway-lambda",
        new CognitoToApiGatewayToLambdaProps.Builder()
                .lambdaFunctionProps(new FunctionProps.Builder()
                        .runtime(Runtime.NODEJS_20_X)
                        .code(Code.fromAsset("lambda"))
                        .handler("index.handler")
                        .build())
                .apiGatewayProps(gatewayProps)
                .build());

final IResource resource = construct.getApiGateway().getRoot().addResource("foobar");
resource.addMethod("POST");

// Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.addAuthorizers();

Pattern Construct Props

Name Type Description

existingLambdaObj?

lambda.Function

Existing instance of Lambda Function object, providing both this and lambdaFunctionProps will cause an error.

lambdaFunctionProps?

lambda.FunctionProps

User provided props to override the default props for the Lambda function.

apiGatewayProps?

api.LambdaRestApiProps

Optional user provided props to override the default props for API Gateway

cognitoUserPoolProps?

cognito.UserPoolProps

Optional user provided props to override the default props for Cognito User Pool

cognitoUserPoolClientProps?

cognito.UserPoolClientProps

Optional user provided props to override the default props for Cognito User Pool Client

logGroupProps?

logs.LogGroupProps

User provided props to override the default props for for the CloudWatchLogs LogGroup.

Pattern Properties

Name Type Description

userPool

cognito.UserPool

Returns an instance of cognito.UserPool created by the construct

userPoolClient

cognito.UserPoolClient

Returns an instance of cognito.UserPoolClient created by the construct

apiGateway

api.RestApi

Returns an instance of api.RestApi created by the construct

apiGatewayCloudWatchRole?

iam.Role

Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.

apiGatewayLogGroup

logs.LogGroup

Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.

apiGatewayAuthorizer

api.CfnAuthorizer

Returns an instance of the api.CfnAuthorizer created by the construct for API Gateway methods authorization.

lambdaFunction

lambda.Function

Returns an instance of lambda.Function created by the construct

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

Amazon Cognito

  • Set password policy for User Pools

  • Enforce the advanced security mode for User Pools

Amazon API Gateway

  • Deploy an edge-optimized API endpoint

  • Enable CloudWatch logging for API Gateway

  • Configure least privilege access IAM role for API Gateway

  • Set the default authorizationType for all API methods to Cognito User Pool

  • Enable X-Ray Tracing

AWS Lambda Function

  • Configure limited privilege access IAM role for Lambda function

  • Enable reusing connections with Keep-Alive for NodeJs Lambda function

  • Enable X-Ray Tracing

  • Set Environment Variables

    • AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 10.x and higher functions)

Architecture

Diagram showing data flow between AWS services including Cognito, API Gateway, Lambda, CloudWatch and IAM Roles

Github

Go to the Github repo for this pattern to view the code, read/create issues and pull requests and more.