🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
DemoInstallSign in
Socket
DemoInstallSign in

@aws-solutions-constructs/aws-cognito-apigateway-lambda

Package Overview
Dependencies
Maintainers
0
Versions
249
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@aws-solutions-constructs/aws-cognito-apigateway-lambda

CDK Constructs for AWS Cognito to AWS API Gateway to AWS Lambda integration

2.79.0
Source
npm
Version published
Weekly downloads
175
-57.73%
Maintainers
0
Weekly downloads
 
Created
Source

aws-cognito-apigateway-lambda module

Stability: Experimental

All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Reference Documentation:https://docs.aws.amazon.com/solutions/latest/constructs/
LanguagePackage
Python Logo Pythonaws_solutions_constructs.aws_cognito_apigateway_lambda
Typescript Logo Typescript@aws-solutions-constructs/aws-cognito-apigateway-lambda
Java Logo Javasoftware.amazon.awsconstructs.services.cognitoapigatewaylambda

Overview

This AWS Solutions Construct implements an Amazon Cognito securing an Amazon API Gateway Lambda backed REST APIs pattern.

Here is a minimal deployable pattern definition:

Typescript

import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda';
import * as lambda from 'aws-cdk-lib/aws-lambda';

new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', {
  lambdaFunctionProps: {
    code: lambda.Code.fromAsset(`lambda`),
    runtime: lambda.Runtime.NODEJS_20_X,
    handler: 'index.handler'
  }
});

Python

from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda
from aws_cdk import (
    aws_lambda as _lambda,
    Stack
)
from constructs import Construct

CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda',
                            lambda_function_props=_lambda.FunctionProps(
                                code=_lambda.Code.from_asset('lambda'),
                                runtime=_lambda.Runtime.PYTHON_3_11,
                                handler='index.handler'
                            )
                            )

Java

import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*;

new CognitoToApiGatewayToLambda(this, "test-cognito-apigateway-lambda",
        new CognitoToApiGatewayToLambdaProps.Builder()
                .lambdaFunctionProps(new FunctionProps.Builder()
                        .runtime(Runtime.NODEJS_20_X)
                        .code(Code.fromAsset("lambda"))
                        .handler("index.handler")
                        .build())
                .build());

If you are defining resources and methods on your API (e.g. proxy = false), then you must call addAuthorizers() after the API is fully defined to ensure every method is protected. Here is an example:

Typescript

import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda';
import * as lambda from 'aws-cdk-lib/aws-lambda';

const construct = new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', {
    lambdaFunctionProps: {
        code: lambda.Code.fromAsset(`lambda`),
        runtime: lambda.Runtime.NODEJS_20_X,
        handler: 'index.handler'
    },
    apiGatewayProps: {
        proxy: false
    }
});

const resource = construct.apiGateway.root.addResource('foobar');
resource.addMethod('POST');

// Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.addAuthorizers();

Python

from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda
from aws_cdk import (
    aws_lambda as _lambda,
    aws_apigateway as api,
    Stack
)
from constructs import Construct
from typing import Any

# Overriding LambdaRestApiProps with type Any
gateway_props = dict[Any, Any]

construct = CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda',
                                        lambda_function_props=_lambda.FunctionProps(
                                            code=_lambda.Code.from_asset(
                                                'lambda'),
                                            runtime=_lambda.Runtime.PYTHON_3_11,
                                            handler='index.handler'
                                        ),
                                        api_gateway_props=gateway_props(
                                            proxy=False
                                        )
                                        )

resource = construct.api_gateway.root.add_resource('foobar')
resource.add_method('POST')

# Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.add_authorizers()

Java

import software.constructs.Construct;

import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

import software.amazon.awscdk.*;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awscdk.services.apigateway.IResource;
import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*;

// Overriding LambdaRestApiProps with type Any
Map<String, Optional<?>> gatewayProps = new HashMap<String, Optional<?>>();
gatewayProps.put("proxy", Optional.of(false));

final CognitoToApiGatewayToLambda construct = new CognitoToApiGatewayToLambda(this,
        "test-cognito-apigateway-lambda",
        new CognitoToApiGatewayToLambdaProps.Builder()
                .lambdaFunctionProps(new FunctionProps.Builder()
                        .runtime(Runtime.NODEJS_20_X)
                        .code(Code.fromAsset("lambda"))
                        .handler("index.handler")
                        .build())
                .apiGatewayProps(gatewayProps)
                .build());

final IResource resource = construct.getApiGateway().getRoot().addResource("foobar");
resource.addMethod("POST");

// Mandatory to call this method to Apply the Cognito Authorizers on all API methods
construct.addAuthorizers();

Pattern Construct Props

NameTypeDescription
existingLambdaObj?lambda.FunctionExisting instance of Lambda Function object, providing both this and lambdaFunctionProps will cause an error.
lambdaFunctionProps?lambda.FunctionPropsUser provided props to override the default props for the Lambda function.
apiGatewayProps?api.LambdaRestApiPropsOptional user provided props to override the default props for API Gateway
cognitoUserPoolProps?cognito.UserPoolPropsOptional user provided props to override the default props for Cognito User Pool
cognitoUserPoolClientProps?cognito.UserPoolClientPropsOptional user provided props to override the default props for Cognito User Pool Client
logGroupProps?logs.LogGroupPropsUser provided props to override the default props for for the CloudWatchLogs LogGroup.

Pattern Properties

NameTypeDescription
userPoolcognito.UserPoolReturns an instance of cognito.UserPool created by the construct
userPoolClientcognito.UserPoolClientReturns an instance of cognito.UserPoolClient created by the construct
apiGatewayapi.RestApiReturns an instance of api.RestApi created by the construct
apiGatewayCloudWatchRole?iam.RoleReturns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access.
apiGatewayLogGrouplogs.LogGroupReturns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch.
apiGatewayAuthorizerapi.CfnAuthorizerReturns an instance of the api.CfnAuthorizer created by the construct for API Gateway methods authorization.
lambdaFunctionlambda.FunctionReturns an instance of lambda.Function created by the construct

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

Amazon Cognito

  • Set password policy for User Pools
  • Enforce the advanced security mode for User Pools

Amazon API Gateway

  • Deploy an edge-optimized API endpoint
  • Enable CloudWatch logging for API Gateway
  • Configure least privilege access IAM role for API Gateway
  • Set the default authorizationType for all API methods to Cognito User Pool
  • Enable X-Ray Tracing

AWS Lambda Function

  • Configure limited privilege access IAM role for Lambda function
  • Enable reusing connections with Keep-Alive for NodeJs Lambda function
  • Enable X-Ray Tracing
  • Set Environment Variables
    • AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 10.x and higher functions)

Architecture

Architecture Diagram

© Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

Keywords

aws
cdk
awscdk
AWS Solutions Constructs
Amazon Cognito
AWS Lambda

FAQs

Package last updated on 18 Mar 2025

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Vite Releases Technical Preview of Rolldown-Vite, a Rust-Based Bundler

Security News

Vite Releases Technical Preview of Rolldown-Vite, a Rust-Based Bundler

Vite releases Rolldown-Vite, a Rust-based bundler preview offering faster builds and lower memory usage as a drop-in replacement for Vite.

By Sarah Gooding  -  May 30, 2025