---
title: API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions
description: After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.
url: https://www.factualminds.com/blog/aws-api-gateway-security-architecture-2026/
datePublished: 2026-07-10T00:00:00.000Z
dateModified: 2026-07-10T00:00:00.000Z
author: palaniappan-p
category: Security & Compliance
tags: aws, amazon-api-gateway, aws-waf, amazon-cognito, amazon-verified-permissions, security, architecture
---

# API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions

> After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.

**In June 2026**, Amazon Cognito launched **multi-Region replication** so user pools on **Essentials or Plus** can keep authentication available in a standby Region during a regional disruption ([What's New](https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-cognito-multi-region/), [developer guide](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-multi-region.html)). **Amazon Verified Permissions** continues to wire **Cedar** policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access ([AVP + API Gateway](https://aws.amazon.com/blogs/security/authorize-api-gateway-apis-using-amazon-verified-permissions-and-amazon-cognito/), [Cognito AVP authz](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-authorization-with-avp.html)).

This is the **API security architecture** — edge → authz → private vs public → abuse. It is **not** [REST/HTTP/WebSocket patterns](/blog/aws-api-gateway-patterns-rest-http-websocket/), **not** [JWT vs introspection](/blog/oauth2-introspection-vs-jwt-validation-cognito-api-gateway/), and **not** a [Shield Advanced buyer guide](/blog/aws-shield-advanced-ddos-response-buyer-guide-2026/).

Artifacts: [authz decision matrix](https://www.factualminds.com/examples/architecture-blog-2026/api-gateway-security/authz-decision-matrix.md), [hardening checklist](https://www.factualminds.com/examples/architecture-blog-2026/api-gateway-security/hardening-checklist.md), [architecture diagram (draw.io)](https://www.factualminds.com/examples/architecture-blog-2026/api-gateway-security/api-gateway-security-architecture.drawio).

> **Benchmark silhouette (not a cited client)** — **B2B SaaS API**, **~18k RPS** peak, Cognito user pool, public REST + two private partner APIs. Regional auth drill before MRR: auth **5xx 4.2%** for **14 minutes**. After Cognito MRR + multi-Region OIDC issuer: drill **5xx 0.1%**. Same month, a scraper hit an unauthenticated export route: **~$1.8k** excess egress/compute until a WAF rate-based rule landed. Lesson: auth DR ≠ abuse protection.

## Four layers — edge to backend

| Layer       | Default                                              | Notes                                       |
| ----------- | ---------------------------------------------------- | ------------------------------------------- |
| **Edge**    | CloudFront + AWS WAF (or WAF on API stage)           | Rate rules on auth and export paths         |
| **Authn**   | Cognito JWT authorizer                               | IAM SigV4 for service principals            |
| **Authz**   | Cognito groups → upgrade to **Verified Permissions** | Cedar when rules change faster than deploys |
| **Network** | Private API + resource policy / VPC Lattice          | Never "temporarily" publicize private APIs  |

**Opinionated take:** Put **WAF in front of every public API before** you tune Cedar policies. Authorization elegance does not stop a cheap L7 scrape.

## Reference architecture

```
Clients ──► CloudFront ──► AWS WAF ──► API Gateway (public)
                                      │
                                      ├── JWT authorizer (Cognito)
                                      │      └── optional AVP Lambda authorizer (Cedar)
                                      └── integration ──► Lambda / VPC Lattice / HTTP

Internal ──► Private API Gateway ◄── VPC endpoint + resource policy
                                      └── IAM SigV4
```

Private API patterns with **VPC Lattice** for cross-account exposure are documented in AWS Containers guidance ([API Gateway + VPC Lattice](https://aws.amazon.com/blogs/containers/securing-api-endpoints-using-amazon-api-gateway-and-amazon-vpc-lattice/)).

## Choose the authorizer

Use [authz-decision-matrix.md](https://www.factualminds.com/examples/architecture-blog-2026/api-gateway-security/authz-decision-matrix.md):

- **End users:** Cognito JWT
- **Fine-grained / multi-service rules:** Verified Permissions
- **AWS service callers:** IAM
- **Public read:** WAF + cache; still inventory every method

## What broke — JWT without rate limits

> **What broke** — A partner integration test script rotated through **12k** token refreshes/hour against `/oauth2/token` adjacent paths and a weakly protected export. Cognito and API Gateway returned valid 401/403 mixes; **WAF had no rate-based rule** on that stage. Detection: Cost anomaly + `Count` mode rule simulation the following Monday. Fix: rate-based rule + usage plan metering + move export behind AVP policy requiring `partner.export` action.

## Cognito multi-Region — what it fixes

MRR replicates user directory and config to a secondary Region (max **2** replicas). Requirements include **Essentials/Plus**, a **multi-Region CMK**, and a **multi-Region OIDC issuer**. It does **not** replicate your API Gateway stages or data stores — pair with your API DR runbook.

## What to Do This Week

1. Inventory every API method: public vs private, authorizer type, WAF association.
2. Score authz needs with the decision matrix; schedule AVP only where groups are insufficient.
3. Add rate-based WAF rules on auth, search, and export.
4. If auth is a single-Region SPOF, evaluate Cognito MRR prerequisites (plan tier, CMK, OIDC issuer).

## What This Post Doesn't Cover

- WebSocket fan-out security edge cases
- mTLS partner termination design
- Full Shield Advanced commercial decision ([buyer guide](/blog/aws-shield-advanced-ddos-response-buyer-guide-2026/))
- AppSync-specific auth modes

## FAQ

### When should we NOT use a Lambda authorizer?
Skip custom Lambda authorizers when Cognito JWT or IAM SigV4 already matches the trust model. Add Lambda + Verified Permissions when authorization rules outgrow Cognito groups and must be shared across services.

### When is a private API the wrong choice?
When external mobile/web clients must call you directly without a public edge. Use a public API (often behind CloudFront) with JWT + WAF instead of "temporary" public exposure of a private API.

### Does Cognito multi-Region replication replace multi-Region API design?
No. June 2026 MRR keeps auth available in a standby Region (Essentials/Plus, multi-Region CMK + OIDC issuer). You still need API and data plane failover. Max two replicas per directory.

### What could go wrong with Verified Permissions on API Gateway?
Over-flat schemas that encode every path as an action without group design, or attaching the authorizer to only some methods and leaving admin routes open. Audit method-level authorizer coverage.

### Are API keys enough for partner auth?
No. Treat usage plans/API keys as metering. Partners need IAM, mutual TLS patterns, or token-based auth with AVP/Cedar policies.

### How is this different from the API Gateway patterns post?
Patterns covers REST/HTTP/WebSocket shapes. This post is the security stack: edge, authn/authz, private networking, and abuse controls.

---

*Source: https://www.factualminds.com/blog/aws-api-gateway-security-architecture-2026/*
