70 %

Toast is in Beta!Learn more →

Chris Biscardi

Which AWS Appsync Authorization mode should you use?

There are four authorization modes you can use with AWS AppSync. You probably want to use IAM with an Identity Pool for "fullest security". COGNITO_USER_POOL is a solid option for less complex applications as well.

  • COGNITO_USER_POOL
  • IAM
  • API_KEY
  • OPENID_CONNECT

COGNITO_USER_POOL

When you have a less complex use case and aren't using Identity Pools to lock down user access to resources using per-user IAM roles. (Your lambdas still need access to your resources).

IAM

You have per-user IAM roles and want to use those instead of lambda-wide IAM roles. You can use the user's IAM role instead of the lambda's to see if a user can access DynamoDB (for example).

API_KEY

Good for testing and prototyping. You only get 50 API keys per AppSync API, so it's better to go to production with a different option

OPENID_CONNECT

If you're using a third party provider such as Auth0, you may want to use this option to integrate with Auth0.