Custom authorizer vs Cognito - authentication for amazon api gateway - Web application

0 votes

I have been making a web app. (Angular 2 on S3 and APIs in lambda through API gateway). For authentication I played both with cognito and custom authorizer (I configured my authentication to work with Google and Facebook bith via a custom authorizer and cognito). In case of custom authorizer I am passing a token via authroization header and my custom authorizer validates it.

I am looking for advice on which should I go forward with and what are their pros and cons. Ones that I could think of are:

AWS cognito:


  1. AWS SDK handles everything for you and you cannot make much mistake in your authentication process.
  2. Fine grained access control for AWS resources via IAM.
  3. An extra lambda function in front of every API is not required for authentication.


  1. Need to use AWS SDK specifically on client side. Programmers have to add this into their toolchain and make use if it during development. Adds extra complexity.
  2. Fine grained access control for resources is not really required since the only access that is required is for API gateway.

Custom authorizer


  1. You can have your authentication mechanism the way you want it. Ultimate control over authentication and authorization.
  2. You can have the UI call the APIs with a standard token (JWT) and the flow for developers remains same. No extra consideration of AWS SDK.


  1. Authentication requires a lot of thinking and effort to build.
  2. Chances of missing some crucial aspects are always there.
  3. Its like reinventing the wheel. Why do it when Amazon has already done it for you.

All that being said, I am leaning towards custom authorizer for now. Need advice here on the topic.

PS: I know there cannot be a definite answer to the question I have posted but it would be of great help to people trying to decide on authentication for their applications.

Sep 24, 2018 in AWS by bug_seeker
• 15,390 points

1 answer to this question.

0 votes

okay, authentication and security is indeed hard and there are a lot of issues that have been thought about and taken care by AWS security team that you may not think of and implement and make your application insecure. I implemented my custom authorizer to expect an authorization token (passed through authorization header) that was a base64 encoded value which would repeat across all the requests in a session. It turns out that due to weaknesses in RC4 and diffie hellman this makes the TLS susceptible to attack. If we simply use cognito using IAM then AWS sigv4 request signing protects you from these weaknesses. Watch for more details.

Another benefit of using cognito/IAM is that it protects you against CSRF replay attack. Request signing involves using timestamp. IAM will deny any requests that are signed more than ~5 minutes ago.

In short avoid using custom authorizer if you can and use IAM with cognito.

answered Sep 24, 2018 by Priyaj
• 57,530 points

Related Questions In AWS

0 votes
2 answers
0 votes
1 answer
+1 vote
3 answers

Not able to pass params POST to AWS Lambda from Amazon API Gateway

For this template : application/x-www-form-urlencoded  This line below will ...READ MORE

answered Jun 13, 2018 in AWS by Cloud gunner
• 4,630 points
0 votes
1 answer

How to Enable CORS for an AWS API Gateway Resource

Since you're using Lambda Proxy integration for ...READ MORE

answered Jul 10, 2018 in AWS by Hammer
• 360 points
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer