Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.

Key Facts

  • After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4
  • 2% → 0
  • 1% — but a missing WAF rate rule still let a scraper burn $1
  • 8k in a weekend
  • Amazon Verified Permissions continues to wire Cedar policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access (AVP + API Gateway, Cognito AVP authz)

Entity Definitions

Lambda
Lambda is an AWS service discussed in this article.
CloudFront
CloudFront is an AWS service discussed in this article.
IAM
IAM is an AWS service discussed in this article.
VPC
VPC is an AWS service discussed in this article.
API Gateway
API Gateway is an AWS service discussed in this article.
WAF
WAF is an AWS service discussed in this article.
AWS WAF
AWS WAF is an AWS service discussed in this article.

API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions

Quick summary: After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.

Key Takeaways

  • After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4
  • 2% → 0
  • 1% — but a missing WAF rate rule still let a scraper burn $1
  • 8k in a weekend
  • Amazon Verified Permissions continues to wire Cedar policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access (AVP + API Gateway, Cognito AVP authz)
API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions
Table of Contents

In June 2026, Amazon Cognito launched multi-Region replication so user pools on Essentials or Plus can keep authentication available in a standby Region during a regional disruption (What’s New, developer guide). Amazon Verified Permissions continues to wire Cedar policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access (AVP + API Gateway, Cognito AVP authz).

This is the API security architecture — edge → authz → private vs public → abuse. It is not REST/HTTP/WebSocket patterns, not JWT vs introspection, and not a Shield Advanced buyer guide.

Artifacts: authz decision matrix, hardening checklist, architecture diagram (draw.io).

Benchmark silhouette (not a cited client)B2B SaaS API, ~18k RPS peak, Cognito user pool, public REST + two private partner APIs. Regional auth drill before MRR: auth 5xx 4.2% for 14 minutes. After Cognito MRR + multi-Region OIDC issuer: drill 5xx 0.1%. Same month, a scraper hit an unauthenticated export route: ~$1.8k excess egress/compute until a WAF rate-based rule landed. Lesson: auth DR ≠ abuse protection.

Four layers — edge to backend

LayerDefaultNotes
EdgeCloudFront + AWS WAF (or WAF on API stage)Rate rules on auth and export paths
AuthnCognito JWT authorizerIAM SigV4 for service principals
AuthzCognito groups → upgrade to Verified PermissionsCedar when rules change faster than deploys
NetworkPrivate API + resource policy / VPC LatticeNever “temporarily” publicize private APIs

Opinionated take: Put WAF in front of every public API before you tune Cedar policies. Authorization elegance does not stop a cheap L7 scrape.

Reference architecture

Clients ──► CloudFront ──► AWS WAF ──► API Gateway (public)

                                      ├── JWT authorizer (Cognito)
                                      │      └── optional AVP Lambda authorizer (Cedar)
                                      └── integration ──► Lambda / VPC Lattice / HTTP

Internal ──► Private API Gateway ◄── VPC endpoint + resource policy
                                      └── IAM SigV4

Private API patterns with VPC Lattice for cross-account exposure are documented in AWS Containers guidance (API Gateway + VPC Lattice).

Choose the authorizer

Use authz-decision-matrix.md:

  • End users: Cognito JWT
  • Fine-grained / multi-service rules: Verified Permissions
  • AWS service callers: IAM
  • Public read: WAF + cache; still inventory every method

What broke — JWT without rate limits

What broke — A partner integration test script rotated through 12k token refreshes/hour against /oauth2/token adjacent paths and a weakly protected export. Cognito and API Gateway returned valid 401/403 mixes; WAF had no rate-based rule on that stage. Detection: Cost anomaly + Count mode rule simulation the following Monday. Fix: rate-based rule + usage plan metering + move export behind AVP policy requiring partner.export action.

Cognito multi-Region — what it fixes

MRR replicates user directory and config to a secondary Region (max 2 replicas). Requirements include Essentials/Plus, a multi-Region CMK, and a multi-Region OIDC issuer. It does not replicate your API Gateway stages or data stores — pair with your API DR runbook.

What to Do This Week

  1. Inventory every API method: public vs private, authorizer type, WAF association.
  2. Score authz needs with the decision matrix; schedule AVP only where groups are insufficient.
  3. Add rate-based WAF rules on auth, search, and export.
  4. If auth is a single-Region SPOF, evaluate Cognito MRR prerequisites (plan tier, CMK, OIDC issuer).

What This Post Doesn’t Cover

  • WebSocket fan-out security edge cases
  • mTLS partner termination design
  • Full Shield Advanced commercial decision (buyer guide)
  • AppSync-specific auth modes
PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Recommended Reading

Explore All Articles »