Problem Statement: An Application intends to make use of S3 for storing and retrieving documents that are uploaded by users who are not yet onboarded to the application. An external Identity provider can confirm the validity of a user but the serverless function must authenticate and authorize their requests prior to upload and download. 

Solution:  

The solution revolves around the creation of a user pool to integrate with a third-party identity provider.  This allows a high level of flexibility to choose appropriate access management for an Application Gateway that can be used to onboard existing users, allow robust operational support (troubleshooting), and improve agility in the development of the serverless capability.  There are two options for this authentication module pilot: 

1. AWS Cognito User Pools Authorizer for Lambda running on Application Gateway, as an IDP-agnostic option, using tools the team is already familiar with.  Here, the benefit is consolidating all the serverless access via Application Gateway, allowing the team to focus on building serverless capabilities via Lambda functions with little overhead from an operational perspective. 
    

2. AWS Custom Lambda Authorizer is a custom authorizer to setup a user pool for accessing serverless functions via Application Gateway. Here, the benefit is greater control over the issue of identity and access tokens but increasing the maintainability considerations for the team. 

Given these choices, the Cognito user pool authorizer is preferred for the following reasons.  

• S3 access using AWS technologies such as Lambda and Application Gateway integrates well with Cognito that supports external Identity providers and works with both identity and access tokens. The less overhead and maintenance the development team has, the more the focus on the serverless and S3 accesses. 

• Cognito user pool authorizers provide smoother onboarding of existing and new user pools. 

• The proposed user pool authorizer will help with third-party OIDC and OAuth2 providers seamlessly with little overhead 

• Overall, Cognito user pool authorizer is an out-of-box technology, with extensive documentation, examples, and community support. 

However, both authorizers are strong contenders and offer many of the same benefits and are superior to any ad hoc implementation of an authorization module by virtue of both being AWS core technologies.  Specifically, both offer: 

• Ways to authorize identity and access tokens 

• Both can be used for enabling access to S3  

• Come with extensive documentation and community support 

• Strong integrations with applications using REST APIs