'How to access the AWS APIGateway based on the cognito user pool group roles

I created a user pool and added 2 user Groups. Registered 2 users and attached to different groups. The groups having different roles, 1 role having a policy, that can execute the Lambda function with resource GET /countries another role having another policy, that can execute the Lambda function with the resource POST /countries. But both the users can access both the resources by passing the ID token as the Authorization header.

I used policies like

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "execute-api:Invoke",
        "Resource": "arn:aws:execute-api:us-west-1:12098989898:sdsds56ffdf/*/GET/countries"
    }]
}

Do I need to add any conditions to the Policy? Why the users can access the 2 resources. How can we restrict based on the user pool groups?

aws-lambda aws-api-gateway amazon-cognito

Solution 1:^[1]

The default cognito authorizer that you used only checks if the token is valid and belongs to the correct user pool. If you want to check for group as well, you can use a custom lambda authorizer that passes the token to cognito using sdk and checks what group the user belongs to.

Or you can change the authorizer a bit to make it send groupname to the backend where you can make conditional check.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Adam

'How to access the AWS APIGateway based on the cognito user pool group roles

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]