API Gateway Security Architecture (2026): WAF, Cognito, Private APIs, and Verified Permissions
Quick summary: After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4.2% → 0.1% — but a missing WAF rate rule still let a scraper burn $1.8k in a weekend.
Key Takeaways
- After Cognito multi-Region replication (June 2026), a B2B API platform (~18k RPS peak) cut auth-related 5xx during a regional drill from 4
- 2% → 0
- 1% — but a missing WAF rate rule still let a scraper burn $1
- 8k in a weekend
- Amazon Verified Permissions continues to wire Cedar policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access (AVP + API Gateway, Cognito AVP authz)

Table of Contents
In June 2026, Amazon Cognito launched multi-Region replication so user pools on Essentials or Plus can keep authentication available in a standby Region during a regional disruption (What’s New, developer guide). Amazon Verified Permissions continues to wire Cedar policies to API Gateway via a console wizard and Lambda authorizer for group- and attribute-based access (AVP + API Gateway, Cognito AVP authz).
This is the API security architecture — edge → authz → private vs public → abuse. It is not REST/HTTP/WebSocket patterns, not JWT vs introspection, and not a Shield Advanced buyer guide.
Artifacts: authz decision matrix, hardening checklist, architecture diagram (draw.io).
Benchmark silhouette (not a cited client) — B2B SaaS API, ~18k RPS peak, Cognito user pool, public REST + two private partner APIs. Regional auth drill before MRR: auth 5xx 4.2% for 14 minutes. After Cognito MRR + multi-Region OIDC issuer: drill 5xx 0.1%. Same month, a scraper hit an unauthenticated export route: ~$1.8k excess egress/compute until a WAF rate-based rule landed. Lesson: auth DR ≠ abuse protection.
Four layers — edge to backend
| Layer | Default | Notes |
|---|---|---|
| Edge | CloudFront + AWS WAF (or WAF on API stage) | Rate rules on auth and export paths |
| Authn | Cognito JWT authorizer | IAM SigV4 for service principals |
| Authz | Cognito groups → upgrade to Verified Permissions | Cedar when rules change faster than deploys |
| Network | Private API + resource policy / VPC Lattice | Never “temporarily” publicize private APIs |
Opinionated take: Put WAF in front of every public API before you tune Cedar policies. Authorization elegance does not stop a cheap L7 scrape.
Reference architecture
Clients ──► CloudFront ──► AWS WAF ──► API Gateway (public)
│
├── JWT authorizer (Cognito)
│ └── optional AVP Lambda authorizer (Cedar)
└── integration ──► Lambda / VPC Lattice / HTTP
Internal ──► Private API Gateway ◄── VPC endpoint + resource policy
└── IAM SigV4Private API patterns with VPC Lattice for cross-account exposure are documented in AWS Containers guidance (API Gateway + VPC Lattice).
Choose the authorizer
- End users: Cognito JWT
- Fine-grained / multi-service rules: Verified Permissions
- AWS service callers: IAM
- Public read: WAF + cache; still inventory every method
What broke — JWT without rate limits
What broke — A partner integration test script rotated through 12k token refreshes/hour against
/oauth2/tokenadjacent paths and a weakly protected export. Cognito and API Gateway returned valid 401/403 mixes; WAF had no rate-based rule on that stage. Detection: Cost anomaly +Countmode rule simulation the following Monday. Fix: rate-based rule + usage plan metering + move export behind AVP policy requiringpartner.exportaction.
Cognito multi-Region — what it fixes
MRR replicates user directory and config to a secondary Region (max 2 replicas). Requirements include Essentials/Plus, a multi-Region CMK, and a multi-Region OIDC issuer. It does not replicate your API Gateway stages or data stores — pair with your API DR runbook.
What to Do This Week
- Inventory every API method: public vs private, authorizer type, WAF association.
- Score authz needs with the decision matrix; schedule AVP only where groups are insufficient.
- Add rate-based WAF rules on auth, search, and export.
- If auth is a single-Region SPOF, evaluate Cognito MRR prerequisites (plan tier, CMK, OIDC issuer).
What This Post Doesn’t Cover
- WebSocket fan-out security edge cases
- mTLS partner termination design
- Full Shield Advanced commercial decision (buyer guide)
- AppSync-specific auth modes
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.




