Home > Software design >  Amazon Cognito and Application specific authorization logic to access Amazon CloudFront content
Amazon Cognito and Application specific authorization logic to access Amazon CloudFront content

Time:02-22

I'd like to protect Amazon CloudFront content with my custom application specific authorization logic.

For example, for authentication purpose I may use Amazon Cognito and Amazon CloudFront with AWS Lambda@Edge approach which will inspect every incoming request to CloudFront and ensure that request has a valid JWT token.

But how about the authorization part?

According to the application business logic, every single authenticated user should not have the access to the same resources.

How and where to check that a user with a valid JWT token has the access (according to the application business logic) to the requested Amazon CloudFront content?

Should such authorization logic be included in the Lambda@Edge handler also?

CodePudding user response:

Yeah, the Lambda@Edge can be used to authorize the user to access a resource behind CloudFront.

And the authorization can be done with the Amazon Cognito User Pool service.

You flow will be similar the following one:

enter image description here

Here is a example of how to this: Secure Your Static Website with AWS CloudFront and Lambda

Check this blogpost to understand more about this process: Authorization@Edge Protect your Amazon CloudFront content from being downloaded by unauthenticated users.

  • Related