Module 2: Amazon API Gateway Terminology

Module 2: AMAZON API GATEWAY TERMINOLOGY (6 Periods)

API Driven Design, API driven development, what is Amazon API Gateway? Amazon API
Gateway terminology, Section Readings, Models and Mapping, Creating an API with Mock
integration, Using Mappings, Using Models, Section Readings, Publish API, Using Postman to
create requests, API Authentication, Amazon API Gateway authentication, Amazon API
Gateway access controls, Amazon API Gateway authentication and authorization mechanisms,
Amazon Cognito, Amazon Cognito, Using Amazon Cognito to sign in and call Amazon API
Gateway.

2.1. API Driven Design, API driven development, what is Amazon API Gateway?
API Driven Design and API Driven Development:
API Driven Design and API Driven Development are related concepts that emphasize
building applications and systems with a strong focus on APIs (Application Programming
Interfaces). These approaches put APIs at the core of the design and development process,
making them the foundation for communication and integration between different
components or services.

API Driven Design involves defining and designing APIs before developing the underlying
functionality. This helps establish a clear contract between different parts of the system and
allows teams to work independently, as long as they adhere to the API specifications. The
API acts as an interface that abstracts the implementation details, making it easier to
modify and improve the system without affecting the external interactions.

API Driven Development, on the other hand, refers to the practice of writing code that
interacts with APIs from the outset, rather than building the entire application as a
monolithic unit. This approach promotes modularity, reusability, and scalability, as
developers can work on different components separately, as long as they conform to the
specified APIs.

Amazon API Gateway:

Amazon API Gateway is a fully managed service provided by Amazon Web Services (AWS).
It allows developers to create, publish, maintain, monitor, and secure APIs at any scale. API
Gateway acts as a front-end for your applications, serving as a reverse proxy to accept API

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 1

 Module 2: Amazon API Gateway Terminology

calls, process them, and forward them to backend services. It handles tasks like request
and response transformations, authentication, authorization, and caching.
Key features of Amazon API Gateway include:

API Creation: You can easily create RESTful APIs or WebSocket APIs using API Gateway.
You define the API's endpoints, methods, request/response types, and integrations with
backend services.

API Deployment: API Gateway makes it simple to deploy APIs to multiple stages, such as
development, testing, and production, allowing you to manage the lifecycle of your APIs
effectively.

Authorization and Authentication: API Gateway offers various methods for controlling access
to your APIs, including API keys, IAM (Identity and Access Management) roles, Lambda
authorizers, and custom authorizers.

Rate Limiting and Throttling: You can set rate limits and throttling policies to control the
amount of traffic and protect your backend services from overuse.

Monitoring and Logging: API Gateway provides built-in monitoring and logging capabilities
to track API usage, identify issues, and gather insights about API performance.

Integration with AWS Services: API Gateway can seamlessly integrate with other AWS
services, such as AWS Lambda, AWS DynamoDB, and AWS S3, to build serverless
applications and easily expose those services as APIs.

By utilizing Amazon API Gateway, developers can implement API Driven Design and
Development principles, making it easier to create scalable, reliable, and secure APIs for
their applications.

2.2. Amazon API Gateway terminology, Section Readings, Models and Mapping.
Key terminologies and concepts related to Amazon API Gateway: Section Readings, Models,
and Mapping.

Section Readings:

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 2

 Module 2: Amazon API Gateway Terminology

In the context of Amazon API Gateway, "Section Readings" appears to be an incorrect term,
and it may not be a standard or recognized concept within the service. If you are referring
to a specific term related to API Gateway or have any other query, please provide more
context or clarify the term you are referring to, and I'd be happy to assist further.

Models:
In Amazon API Gateway, a "Model" is a schema or data structure that defines the expected
shape of data in requests and responses when using the API. Models help ensure that data
is formatted correctly and consistently when exchanged between clients and the API. They
are particularly useful when dealing with complex data, such as JSON objects or XML
documents.

API Gateway supports two types of models:

Request Models: These models define the structure of data in the request body when a
client makes a request to the API. Request models are used to validate and transform
incoming data before passing it to backend integration.

Response Models: These models define the structure of data in the response body that the
API sends back to the client. Response models are used to validate and transform the data
from the backend integration before returning it to the client.

You can create models manually within API Gateway or import them from an external
OpenAPI Specification (OAS) or Swagger definition. Models help in standardizing data
formats, making it easier to work with complex payloads across different API methods.

Mapping:
Mapping, in the context of Amazon API Gateway, refers to the process of transforming data
between the request format and backend integration format, as well as between the
backend integration format and the response format. API Gateway provides the ability to
use mapping templates to control how data is passed between different parts of the API
flow.
Mapping templates use Velocity Template Language (VTL) syntax, which allows you to
extract, transform, and combine data from the incoming request or the backend response.

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 3

 Module 2: Amazon API Gateway Terminology

This transformation process is useful when the data format expected by the client differs
from the format used by the backend service.

Mapping templates can be applied at various stages of the API flow, such as request
mapping before invoking the backend integration and response mapping before returning
the data to the client. By using mapping templates, you can modify the request and
response payloads, add headers, perform conditional logic, and more, to meet the specific
requirements of your API and its integrations.
"Models" help define the structure of data exchanged with the API, and "Mapping" enables
the transformation of data between different stages of the API flow to ensure seamless
communication between clients and backend services.

2.3. Creating an API with Mock integration, Using Mappings, Using Models, Section
Readings, Publish API, Using Postman to create requests.

To create an API with Mock integration, use mappings, models, and then publish the API,
follow these steps:

Define API Endpoints and Methods:

Begin by defining the API endpoints and methods that your API will support. For example,
you can have endpoints like /users and /products, and methods like GET, POST, PUT,
DELETE, etc. These endpoints and methods represent the different functionalities your API
will expose.

Create Models (if necessary):

Define models for the request and response payloads if your API deals with complex data.
Models help ensure data consistency and provide a clear structure for your API consumers.
Models can be specified using JSON Schema or similar formats.

Set Up Mock Integration:

In Amazon API Gateway, you can create a Mock integration for each API endpoint and
method. The Mock integration simulates the backend behavior and returns predefined
responses without actually invoking a real backend service. It allows you to quickly test
your API design and frontend implementations without the need for a fully developed
backend.

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 4

 Module 2: Amazon API Gateway Terminology

Use Mappings:
If your API needs to perform transformations on request or response data, you can use
mapping templates. Mapping templates are written in Velocity Template Language (VTL)
and allow you to customize the input and output of your API. You can add headers, modify
request payloads, extract data, and much more.

2.4. Set Up Authorization and Authentication (Optional):

If your API requires security measures like API keys, IAM roles, or OAuth, configure the
necessary authentication and authorization methods to control access to your API.

Test the Mock API:

With the Mock integration and mapping templates in place, test your API using Amazon API
Gateway's test console to see how the API behaves with different inputs and how the
responses are transformed.

Publish the API:

Once you are satisfied with the API design and mock integration, you can publish the API to
make it available to your users. When publishing, you can choose deployment stages like
"dev," "test," or "prod" to manage different versions of your API.

Use Postman to Create Requests:

Postman is a popular API development and testing tool that allows you to create, send, and
manage API requests easily. You can use Postman to send requests to your published API
and see how it responds. Postman also enables you to view response data, headers, and
status codes.
Creating an API with Mock integration, using mappings, models, and then publishing the API
involves defining API endpoints, setting up mock integrations, utilizing mapping templates
to customize data, and finally publishing the API to make it available to your users. Postman
can be used to interact with your API and test its functionality.

2.5. API Authentication, Amazon API Gateway authentication, Amazon API

Gateway access controls.
API Authentication is a crucial aspect of securing APIs to ensure that only authorized users
or applications can access protected resources. Authentication mechanisms help verify the

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 5

 Module 2: Amazon API Gateway Terminology

identity of the client making a request to the API, thereby preventing unauthorized access
to sensitive data or functionalities.
Amazon API Gateway provides various authentication options to control access to
your APIs:

API Key:
API keys are simple tokens that you can distribute to clients (e.g., mobile apps or third-
party developers) to grant access to your API. By including the API key in the request
headers or query parameters, clients can authenticate themselves and gain access to the
API resources associated with that key. API keys are easy to manage, but they offer a lower
level of security compared to other authentication methods.

2.6. AWS Identity and Access Management (IAM):

If you want to restrict access to your API to specific AWS IAM users or roles, you can
configure IAM authentication on your API Gateway. With IAM authentication, only
authenticated IAM users or roles can call the API. This method provides fine-grained access
control and uses the IAM policies associated with the IAM entities to define the allowed API
actions.

Amazon Cognito User Pools:

Amazon Cognito provides a managed service that offers user sign-up and sign-in options for
web and mobile applications. Amazon API Gateway can integrate with Amazon Cognito User
Pools, enabling you to authenticate users and control access based on user identities and
group memberships. Cognito User Pools offer features like multi-factor authentication and
user attribute management.

Lambda Authorizers:
Lambda Authorizers allow you to use AWS Lambda functions to customize the
authentication and authorization process. You can implement custom logic in the Lambda
function to verify API keys, JWT tokens, or other authentication tokens sent by clients.
Lambda authorizers enable you to define complex authentication mechanisms and extract
additional user information from tokens.

OAuth 2.0:

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 6

 Module 2: Amazon API Gateway Terminology

API Gateway supports OAuth 2.0, which is a popular standard for secure authentication and
authorization in modern applications. You can integrate API Gateway with an OAuth 2.0
provider, such as Amazon Cognito or an external OAuth provider, to enable token-based
authentication and access control.

Amazon API Gateway Access Controls:

In addition to authentication mechanisms, Amazon API Gateway also provides access
control features to manage the permissions and usage limits for your APIs:

Resource Policies:
Resource Policies allow you to set up granular access control at the API and resource levels.
You can define policies to allow or deny specific IP addresses or AWS accounts from
accessing the API. Resource Policies work independently of the authentication mechanisms
and can be useful for additional security measures.

Usage Plans:
Usage Plans help you control the access rate and quota limits for individual API keys. By
associating API keys with usage plans, you can enforce rate limiting and prevent abuse of
your API resources. Usage plans enable you to manage the access of different client
applications based on their subscription levels.

Amazon API Gateway offers multiple authentication methods, including API keys, IAM,
Cognito User Pools, Lambda Authorizers, and OAuth 2.0, to secure your APIs and control
access. Additionally, you can use resource policies and usage plans to implement further
access controls and rate limits.

2.7. Amazon API Gateway authentication and authorization mechanisms, Amazon

Cognito.
Amazon API Gateway provides several authentication and authorization mechanisms to
secure APIs, and Amazon Cognito is one of the key services integrated with API Gateway for
managing user identities and access control. Let's explore both in more detail:

Amazon API Gateway Authentication Mechanisms:

a. API Key:

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 7

 Module 2: Amazon API Gateway Terminology

API keys are simple tokens that you can generate and distribute to clients (e.g., mobile
apps, developers) to authenticate their requests to the API. API keys are a straightforward
way to control access, but they offer a lower level of security compared to other methods.

b. AWS Identity and Access Management (IAM) Authentication:

With IAM authentication, you can restrict access to your API to specific IAM users or roles in
your AWS account. IAM authentication provides fine-grained control over API access based
on IAM policies attached to users or roles.

c. Amazon Cognito User Pools:

Amazon Cognito provides a user directory service that manages user sign-up, sign-in, and
user profiles. When integrating Amazon API Gateway with Cognito User Pools, you can
authenticate users based on their identities. Cognito User Pools support various
authentication methods, such as username/password, social identity providers (e.g.,
Google, Facebook), and multi-factor authentication.

d. Lambda Authorizers:
Lambda Authorizers allow you to use AWS Lambda functions to customize the
authentication process. You can implement custom logic to verify tokens or headers sent by
clients, allowing you to support various authentication mechanisms not natively provided by
API Gateway.

e. OAuth 2.0:
API Gateway supports OAuth 2.0, a widely used standard for secure authentication and
authorization in modern applications. With OAuth 2.0, clients can obtain access tokens from
an OAuth provider, such as Amazon Cognito or an external OAuth provider, to access
protected resources in the API.

2.8. Amazon Cognito:

Amazon Cognito is a comprehensive identity service provided by AWS that offers user sign-
up, sign-in, and access control functionality for web and mobile applications. It comprises
two main components: Amazon Cognito User Pools and Amazon Cognito Identity Pools.

a. Amazon Cognito User Pools:

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 8

 Module 2: Amazon API Gateway Terminology

Cognito User Pools are user directories that provide authentication and user management
capabilities. You can create and customize user pools to support different sign-up and sign-
in options, including username/password, phone number, email, and social identity
providers.

When integrated with Amazon API Gateway, Cognito User Pools allow you to authenticate
API clients based on their user identities, providing a secure way to control access to your
APIs and manage user registration and authentication.

b. Amazon Cognito Identity Pools:

Cognito Identity Pools provide temporary AWS credentials to grant users access to other
AWS services. They enable you to grant users access to specific AWS resources, such as S3
buckets or DynamoDB tables, based on their identity in the Cognito User Pool or external
identity providers.

By combining Amazon Cognito User Pools and Cognito Identity Pools, you can create a
seamless and secure user authentication and authorization flow for both your application
and API.

Amazon API Gateway offers a variety of authentication mechanisms, including API keys,
IAM, Cognito User Pools, Lambda Authorizers, and OAuth 2.0. Amazon Cognito, in
particular, provides user management and authentication services that can be integrated
with API Gateway to secure APIs and manage user access effectively.

2.9. Amazon Cognito, Using Amazon Cognito to sign in and call Amazon API
Gateway.

Using Amazon Cognito to sign in and call Amazon API Gateway involves integrating Cognito
User Pools with API Gateway to authenticate users and authorize their access to the API
resources. Here's a step-by-step guide on how to achieve this:

Step 1: Set Up Amazon Cognito User Pool

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 9

 Module 2: Amazon API Gateway Terminology

Create a Cognito User Pool: In the Amazon Cognito console, create a new user pool. Define
the required attributes for user registration and the preferred sign-in methods, such as
email, phone number, or social identity providers.

Configure App Client: Create an app client within the user pool to represent the application
that will call the API Gateway. Specify the allowed OAuth 2.0 flows (e.g., Authorization
Code, Implicit), redirect URIs, and scopes required for accessing the API.

Step 2: Configure Amazon API Gateway

Create API: In the Amazon API Gateway console, create your API with the required
endpoints and methods that you want to secure.

Set Up Integration: Configure the integration of your API methods with the backend service
or Lambda function you want to call when the API is invoked.

Step 3: Enable Amazon Cognito User Pool Authorizer

Open the Settings for an API Stage: Go to the Stages section of your API in the API
Gateway console and click on the desired stage.

Enable Cognito User Pool Authorizer: Under the "API Gateway Authorizers" section, choose
"Cognito" as the type and select the Cognito User Pool you created in Step 1.

Step 4: Test the Setup

Get Access Token: In your application, use an SDK or library compatible with Amazon
Cognito to sign in the user and obtain an access token after successful authentication.

Call API with Access Token: When calling the API Gateway, include the access token in the
Authorization header of the request using the "Bearer" scheme. The Authorization header
should look like: Authorization: Bearer <access_token>

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 10

 Module 2: Amazon API Gateway Terminology

API Gateway Authorization: The Cognito User Pool authorizer will validate the access token
provided in the request and grant access to the API resources if the user is authenticated
and authorized to access the requested resource.

With this setup, only authenticated and authorized users with valid access tokens can call
the protected endpoints in your Amazon API Gateway. If the user is not authenticated or the
access token is invalid or expired, the API Gateway will return an authorization error,
ensuring that your API resources are securely accessed only by authorized users.

Provides a high-level overview of the steps involved in using Amazon Cognito with API
Gateway. The actual implementation may vary based on your application's specific
requirements and technology stack.

Ms. M. Sowmya Vani, Assistant Professor, Department of CA, MBU Page 11