Customers using Amazon Cognito user pools as an authorizer for their APIs can ensure access control. Testing these APIs with additional security measures is crucial for validation, and Amazon CloudWatch Synthetics offers a solution for proactive testing.
To begin, a step-by-step guide is provided for modifying the source code of a canary when using Amazon Cognito User Pools as an Authorizer in confidential client mode. This process involves authenticating against the Cognito user pool and utilizing the generated token to call the API.
The article outlines the creation of an Amazon API Gateway GET method with an Amazon Cognito User Pool Authorizer, storing the Client Secret in AWS Secrets Manager. A CloudWatch Synthetics Canary retrieves the client secret, authenticates against Amazon Cognito, obtains a JWT token, and utilizes it to access the protected API Gateway method.
The setup includes creating an API Gateway instance, configuring an authorizer linked to the Cognito user pool, and defining integration settings for the API Gateway with an external HTTP endpoint proxy. Additionally, secrets containing user pool client details and various variables are created using AWS Secrets Manager.
Further steps involve creating IAM policies and roles for the canary, enabling access to the Secret Manager resource. A canary is then created to authenticate using the generated secrets, retrieve a JWT token, and test access to the API Gateway URL.
The process includes a walkthrough for creating the canary using AWS CloudWatch Synthetics, testing the API Gateway’s authorization requirements, and verifying the canary’s successful authorization against the API.
Exploring canary logs and cleaning up resources are also covered in detail, providing guidance on deleting the canary, API Gateway setup, Cognito User Pool, and Secrets Manager entries.
In conclusion, the blog post emphasizes the importance of testing Cognito-protected API Gateway APIs for confidential clients. By utilizing CloudWatch Synthetics Canary for secure authentication, users can ensure API access control with optimal security measures. The authors, Glenn Chia Jin Wee and Matheus Canela, share their expertise in cloud architecture and solutions architecture, respectively, offering valuable insights for API testing and security measures.
Article Source
https://aws.amazon.com/blogs/mt/testing-amazon-cognito-backed-apis-using-amazon-cloudwatch-synthetics/