# API Gateway authz decision matrix (2026)

Pick one primary authorizer per API surface. Mixing is OK across APIs, not within a single method without a clear reason.

| Scenario | Cognito JWT authorizer | IAM SigV4 | Lambda authorizer + Verified Permissions (Cedar) | None (public) + WAF only |
|----------|------------------------|-----------|--------------------------------------------------|--------------------------|
| End-user mobile/web app (Cognito pool) | **2** | 0 | **2** if group/ABAC rules change weekly | 0 |
| Service-to-service inside AWS | 0 | **2** | 1 | 0 |
| Fine-grained RBAC/ABAC beyond Cognito groups | 1 | 0 | **2** | 0 |
| Partner B2B with external IdP tokens | 1 (federated) | 0 | **2** | 0 |
| Public marketing/read-only | 0 | 0 | 0 | **2** + strict WAF + cache |
| Private API (VPC-only) | 1 | **2** | 1 | 0 — never public |

## Opinionated default

- **Customer APIs:** Cognito JWT + AWS WAF. Add **Verified Permissions** when authorization rules outgrow Cognito groups (Cedar policy store + API Gateway wizard / Lambda authorizer).
- **Internal APIs:** Private REST API + resource policy + IAM. Prefer VPC Lattice for cross-account east-west when multiple VPCs share services.
- **June 2026:** For auth DR, evaluate Cognito **multi-Region replication** (Essentials/Plus) so token validation survives a regional outage — pair with multi-Region OIDC issuer.

## When NOT to

- Do not put business authorization only in Lambda application code if multiple services must enforce the same rules — centralize in Cedar/AVP or IAM.
- Do not expose a private API via a public custom domain "temporarily."
- Do not skip WAF on public APIs even with JWT — JWT does not stop L7 floods or bot scrapes.
