# Securing REST APIs with Amazon Cognito: A Step-by-Step Guide

Security in internet-facing or local applications is one of the most challenging parts of the software development life cycle. This post will provide a quick step-by-step guide to implementing access management for [the previous REST API](https://blog.wilsonkomlan.com/step-by-step-guide-to-using-lambda-proxy-integrations-in-amazon-api-gateway) using [Amazon Cognito](https://aws.amazon.com/cognito/).

# Prerequisites

You need to have an [**AWS account**](https://console.aws.amazon.com/console/home). If you are new to AWS, they offer a 12-month free tier account where you can explore many services as a developer.

## **Create an Amazon Cognito User Pool**

Please refer to [this article](https://blog.wilsonkomlan.com/how-to-secure-spring-boot-rest-api-endpoints-with-amazon-cognito) in the ***Create Amazon Cognito User Pool*** section to create a Cognito User Pool, note the **Cognito User Pool ID** and the App **Client ID**, and then continue with the following section.

# Enable endpoint access management in API Gateway

As you can see, any frontend or API caller can send requests to [these REST API endpoints](https://blog.wilsonkomlan.com/step-by-step-guide-to-using-lambda-proxy-integrations-in-amazon-api-gateway) without including an access token in the request header. We will implement a JWT token authorizer with the Amazon Cognito User Pool created earlier.

Let us open the API Gateway created in [this article](https://blog.wilsonkomlan.com/step-by-step-guide-to-using-lambda-proxy-integrations-in-amazon-api-gateway).

* Select a method (***POST*** for instance (1)) then, in the **Route details** section, click on the ***Attach authorization*** button (2).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1724797615137/52598d9c-147c-4e3d-949d-bd89809bc3a1.png align="center")

* On the **Authorization** page, ensure the method is still selected and click the ***Create and attach an authorizer*** button (1).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1724797982787/9a96589b-581f-4763-899c-cc681660db95.png align="center")

* On the **Create authorizer** page, choose the **Authorizer type**: ***JWT*** (1), and provide the Authorizer settings: ***Name***: *CRUD-API-COGNITO-AUTH* (2), ***Identity source***: *$request.header.Authorization* (3), ***Issuer URL***: `https://cognito-idp.[zoneId].amazonaws.com/[userPoolId]` (4). For the ***Audience*** field, first click on the ***Add Audience*** button, then provide the ***Client ID*** (5) noted while creating the Amazon Cognito User Pool. Click the ***Create and attach*** button to attach the newly created authorizer to the API route method.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1724798028722/d2cc4bdf-f458-427c-99f6-f59c690a3e8d.png align="center")

* To attach an existing authorizer to a method, select the method, then in the **Route details** section, click the ***Attach authorization*** button. Choose the ***existing authorizer*** (1) and click the ***Attach authorizer*** button (2).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1724801382892/6254ec05-8a28-486d-bd54-8330a67555cd.png align="center")

### Test and Wrap-Up

Follow the **Test and Recap** section of [this article](https://blog.wilsonkomlan.com/step-by-step-guide-to-using-lambda-proxy-integrations-in-amazon-api-gateway) and the **Test the Rest API** section of [this article](https://blog.wilsonkomlan.com/how-to-secure-spring-boot-rest-api-endpoints-with-amazon-cognito) to test what we have implemented.

This guide walks through implementing access management for a REST API using Amazon Cognito. Instructions include creating a Cognito User Pool, enabling endpoint access management in API Gateway, and configuring JWT token authorizers for secure token-based access. Follow these steps to protect your API endpoints effectively.

Thanks for reading 😊. Your suggestions and comments are welcome. Akpé kaka 🙏!
