Securing Your API Gateway-Based REST API with a Custom Lambda-Based Authorizer

In this tutorial, we will explore how to secure your API Gateway-based REST API using a custom Lambda-based authorizer. This method allows you to control access to your API by verifying authorization tokens before granting access to resources.


API security is crucial to protect your resources from unauthorized access. In this tutorial, we will set up a custom Lambda-based authorizer that can inspect authorization tokens provided in API requests and determine whether users have permission to access your API.


Before we get started, ensure you have the following in place:

  • AWS account with appropriate permissions.
  • AWS CLI (Command Line Interface) installed and configured with the necessary IAM (Identity and Access Management) user or role permissions.

The High-Level Workflow

Let’s start by understanding the high-level workflow of how a custom Lambda-based authorizer works in securing your API.

  1. User Makes a Request: When a user makes a request to your API, they provide an authorization token. This token is often included in the payload of the request.
  2. API Gateway Inspects the Token: The request is sent to your API Gateway endpoint, and before it reaches the actual resource (the API handler), it is first directed to an authorization token handler, called the authorizer.
  3. Authorizer Validation: The authorizer, which is a Lambda function, examines the provided token and checks whether it is valid and if the user has the required permissions to access the requested API.
  4. Response from Authorizer: Based on the token validation, the authorizer generates a policy document. This document specifies whether the user is allowed or denied access to the resource. The policy document is returned to API Gateway.
  5. Resource Access: If the authorizer grants access (policy specifies “allow”), API Gateway forwards the request to the API handler, and the user can access the resource. If access is denied (policy specifies “deny”), API Gateway returns a 403 Forbidden response to the user.

Setting Up Your Custom Authorizer

Now, let’s walk through the process of setting up your custom Lambda-based authorizer using the AWS Console and CLI.

1. Create a Lambda Function for the Authorizer

Start by creating a Lambda function that will serve as your authorizer. You can create it using the AWS Lambda service in the AWS Console. Choose a runtime (e.g., Python 3.7) and set up the basic permissions for your Lambda function.

# Create a Lambda function using the AWS CLI (replace placeholders)
aws lambda create-function --function-name YourAuthorizerName --runtime python3.7 --role YourRoleARN --handler YourFunctionHandler --code YourFunctionCode

Your authorizer function should extract the authorization token from the request, validate it, and generate a policy document with “allow” or “deny” based on the token’s validity and user permissions.

2. Create an API Gateway Authorizer

Next, go to the AWS API Gateway service in the AWS Console and create a custom authorizer:

  • Provide a name for your authorizer.
  • Choose the authorizer type (Lambda-based).
  • Select the Lambda function you created as the authorizer function.

Define the Token Source in your authorizer configuration. This is the header key where your authorization token is expected to be.

# The Token Source in your authorizer configuration

3. Configure the API Resource with the Authorizer

In your API Gateway, navigate to the specific resource you want to secure (e.g., /customers). Configure the method (e.g., GET) and require the authorizer:

  • Open the method request for the resource.
  • Set the authorization to use the custom authorizer you just created.

4. Deploy the API

Once you’ve set up the authorizer, you should deploy your API to apply the changes:

# Deploy the API using the AWS CLI (replace placeholders)
aws apigateway create-deployment --rest-api-id YourAPIID --stage-name YourStageName

5. Testing the Authorizer

Test your authorizer to ensure it’s working correctly. You can use Postman, the AWS CLI, or any HTTP client to make requests to your secured API resource.

To make a request using the AWS CLI:

# Replace 'YourAPIID', 'YourResourceID', 'POST', 'YourAPIKey', and 'YourAPIURL' with actual values
aws apigateway test-invoke-method --rest-api-id YourAPIID --resource-id YourResourceID --http-method POST --path-with-query-string "" --body "" --headers "x-api-key=YourAPIKey" --endpoint-url YourAPIURL

This command sends a test request to your API, including the API key in the request headers.

Congratulations! You’ve successfully secured your API Gateway-based REST API with a custom Lambda-based authorizer. This added layer of security ensures that only authorized users can access your resources, and you can fine-tune

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top