API-Gateway Auth: AWS sigv4 vs Cognito User Pool JWT

Question

When I use API-Gateway to define my endpoints, some of my endpoints are only accessible from a signin-ed user. (I am using Cognito User Pool to manage my users)

I see different ways to achieve this goal

1. SigV4, see Page 19;

2. JWT token from Cognito User Pool, see Page 23

Right now, I am using option 2, but I don't understand when I should use option 1. Are they essentially just different approaches to achieve the same goal or are they different?

Answer 1

Although with a bit of effort they can be used 'semi'-interchangeably, there's a different intent behind each:

• SigV4 is aimed at someone with access to an IAM user/role in your AWS account.
• Cognito/JWT is aimed at allowing you to create and manage a group of users separate from your AWS Account users (i.e. in Cognito), and a mechanism verify those identities.

For most API gateway uses I would expect Cognito (or API Keys) to be the best option. Although there are architectural patterns where you give your API users direct access to resources in your account through temporary IAM credentials.