API Gateway IAM Authorization (#612)

Remove Lambda authorizers from API Gateway Endpoints (HTTP API and Web Socket API) and replace with IAM Authorization.
Replace use of axios in web-ui service repository code with Amplify Rest API client which automatically performs request signing

---------

Co-authored-by: Bastien <bastil@amazon.co.uk>

aws/cloudformation-templates/base/_template.yaml

@@ -323,6 +323,10 @@ Outputs:
     Description: Authentication Cognito Authorized Role name
     Value: !GetAtt Authentication.Outputs.CognitoAuthorizedRole
 
+  CognitoUnAuthorizedRole:
+    Description: Authentication Cognito UnAuthorized Role name
+    Value: !GetAtt Authentication.Outputs.CognitoUnAuthorizedRole
+
   StackBucketName:
     Description: Stack Bucket
     Value: !GetAtt Buckets.Outputs.StackBucketName

aws/cloudformation-templates/base/authentication.yaml

@@ -265,4 +265,7 @@ Outputs:
     Value: !Ref IdentityPool
   CognitoAuthorizedRole:
     Description: Cognito Authorized Role
-    Value: !Ref CognitoAuthorizedRole
+    Value: !Ref CognitoAuthorizedRole
+  CognitoUnAuthorizedRole:
+    Description: Cognito UnAuthorized Role
+    Value: !Ref CognitoUnAuthorizedRole

aws/cloudformation-templates/location.yaml

@@ -60,6 +60,9 @@ Parameters:
   LambdaVpcSubnets:
     Type: String
 
+  CognitoAuthorizedRole:
+    Type: String
+
 Conditions:
   DefaultGeofence: !Equals
       - !Ref DeployDefaultGeofence
@@ -326,60 +329,26 @@ Resources:
       DeploymentId: !Ref LocationGeofenceBrowserNotificationApiDeployment
       ApiId: !Ref LocationGeofenceBrowserNotificationApi
 
-  LambdaAuthorizerRole:
-      Type: AWS::IAM::Role
-      Properties:
-        AssumeRolePolicyDocument:
-          Version: 2012-10-17
-          Statement:
-            - Effect: Allow
-              Principal:
-                Service:
-                  - lambda.amazonaws.com
-              Action:
-                - sts:AssumeRole
-        Path: /
-        ManagedPolicyArns:
-          - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-
-  LambdaAuthorizerFunction:
-    Type: AWS::Lambda::Function
-    Properties:
-      Code:
-        S3Bucket: !Ref ResourceBucket
-        S3Key: !Sub '${ResourceBucketRelativePath}aws-lambda/apigw-ws-authorizer.zip'
-      Handler: index.handler
-      Runtime: nodejs18.x
-      Role: !GetAtt LambdaAuthorizerRole.Arn
-      MemorySize: 512
-      Timeout: 60
-      Environment:
-        Variables:
-          ALLOWED_ORIGIN: !Ref WebURL
-
-  LambdaAuthorizer:
-    Type: 'AWS::ApiGatewayV2::Authorizer'
-    Properties:
-      Name: LambdaAuthorizer
-      ApiId: !Ref LocationGeofenceBrowserNotificationApi
-      AuthorizerType: REQUEST
-      AuthorizerUri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaAuthorizerFunction.Arn}/invocations"
-
-  LambdaAuthorizerFunctionPermission:
-    Type: AWS::Lambda::Permission
-    Properties:
-      Action: lambda:invokeFunction
-      FunctionName: !GetAtt LambdaAuthorizerFunction.Arn
-      Principal: apigateway.amazonaws.com
-      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${LocationGeofenceBrowserNotificationApi}/authorizers/${LambdaAuthorizer}"
+  ApiGatewayLocationAccessPolicy:
+    Type: AWS::IAM::Policy
+    Properties:      
+      PolicyName: ApiGatewayLocationAccessPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action: "execute-api:Invoke"              
+            Resource:
+              - !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${LocationGeofenceBrowserNotificationApi}/${LocationGeofenceBrowserNotificationApiStage}/POST/@connections"
+      Roles: 
+        - !Ref CognitoAuthorizedRole
 
   LocationGeofenceBrowserNotificationApiConnectRoute:
     Type: 'AWS::ApiGatewayV2::Route'
     Properties:
       ApiId: !Ref LocationGeofenceBrowserNotificationApi
       RouteKey: $connect
-      AuthorizationType: CUSTOM
-      AuthorizerId: !Ref LambdaAuthorizer
+      AuthorizationType: AWS_IAM
       OperationName: ConnectRoute
       Target: !Join
         - '/'

aws/cloudformation-templates/room-generator.yaml

@@ -32,8 +32,6 @@ Parameters:
     Default: controlnet-depth-sdxl
   ApiGatewayId:
     Type: String
-  LambdaAuthorizer:
-    Type: String
   WebURL:
     Type: String
   CognitoAuthorizedRole:
@@ -694,6 +692,23 @@ Resources:
       Principal: apigateway.amazonaws.com
       SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayId}/*/*/*"
 
+  ApiGatewayRoomAccessPolicy:
+    Type: AWS::IAM::Policy
+    Properties:      
+      PolicyName: ApiGatewayRoomAccessPolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action: "execute-api:Invoke"              
+            Resource:
+              - !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayId}/*/POST/rooms"
+              - !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayId}/*/GET/rooms"
+              - !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayId}/*/GET/rooms/*"
+      Roles: 
+        - !Ref CognitoAuthorizedRole
+
+
   ApiIntegration:
     Type: 'AWS::ApiGatewayV2::Integration'
     Properties:
@@ -710,8 +725,7 @@ Resources:
     Properties:
       ApiId: !Ref ApiGatewayId
       RouteKey: 'GET /rooms/{id}'
-      AuthorizationType: CUSTOM
-      AuthorizerId: !Ref LambdaAuthorizer
+      AuthorizationType: AWS_IAM
       Target: !Join 
         - /
         - - integrations
@@ -722,8 +736,7 @@ Resources:
     Properties:
       ApiId: !Ref ApiGatewayId
       RouteKey: 'GET /rooms'
-      AuthorizationType: CUSTOM
-      AuthorizerId: !Ref LambdaAuthorizer
+      AuthorizationType: AWS_IAM
       Target: !Join 
         - /
         - - integrations
@@ -734,8 +747,7 @@ Resources:
     Properties:
       ApiId: !Ref ApiGatewayId
       RouteKey: 'POST /rooms'
-      AuthorizationType: CUSTOM
-      AuthorizerId: !Ref LambdaAuthorizer
+      AuthorizationType: AWS_IAM
       Target: !Join 
         - /
         - - integrations

aws/cloudformation-templates/services/service/service.yaml

@@ -300,6 +300,9 @@ Resources:
                 Resource:
                   - !Sub 'arn:${AWS::Partition}:evidently:${AWS::Region}:${AWS::AccountId}:project/${EvidentlyProjectName}*'
                   - !Sub 'arn:${AWS::Partition}:evidently:${AWS::Region}:${AWS::AccountId}:project/${EvidentlyProjectName}/feature/*'
+              - Effect: Allow
+                Action: cognito-idp:ListUsers
+                Resource: !Sub 'arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPoolId}'
 
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/AWSCloudMapDiscoverInstanceAccess

aws/cloudformation-templates/template.yaml

@@ -729,8 +729,8 @@ Resources:
         VpcCidr: !GetAtt Base.Outputs.VpcCidr
         ResourceBucket: !Ref ResourceBucket
         ResourceBucketRelativePath: !Ref ResourceBucketRelativePath
-        CognitoUserPoolId: !GetAtt Base.Outputs.UserPoolId
-        CognitoAppClientId: !GetAtt Base.Outputs.UserPoolClientId
+        CognitoAuthorizedRole: !GetAtt Base.Outputs.CognitoAuthorizedRole
+        CognitoUnAuthorizedRole: !GetAtt Base.Outputs.CognitoUnAuthorizedRole
 
   # Web UI Pipeline
   WebUIPipeline:
@@ -854,6 +854,7 @@ Resources:
           ]
         LambdaVpcSecurityGroup: !GetAtt Base.Outputs.PrivateVPCSecurityGroup
         LambdaVpcSubnets: !GetAtt Base.Outputs.Subnets
+        CognitoAuthorizedRole: !GetAtt Base.Outputs.CognitoAuthorizedRole
 
   AmazonPay:
     Type: AWS::CloudFormation::Stack
@@ -976,7 +977,6 @@ Resources:
         CleanupBucketLambdaArn: !GetAtt CleanupBucket.Outputs.LambdaFunctionArn
         OpenSearchDomainEndpoint: !GetAtt Base.Outputs.OpenSearchDomainEndpoint
         ApiGatewayId: !GetAtt ApiGateway.Outputs.ApiGatewayId
-        LambdaAuthorizer: !GetAtt ApiGateway.Outputs.ApiGatewayAuthorizer
         WebUIBucketName: !GetAtt Base.Outputs.WebUIBucketName
         WebURL: !If 
           - ConditionCustomDomain

aws/cloudformation-templates/web-ui-pipeline.yaml

@@ -303,22 +303,8 @@ Resources:
             Value: !Sub ${UserPoolClientId}
           - Name: COGNITO_IDENTITY_POOL_ID
             Value: !Sub ${IdentityPoolId}
-          - Name: PRODUCTS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: USERS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: CARTS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: ORDERS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: RECOMMENDATIONS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: LOCATION_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: SEARCH_SERVICE_URL
-            Value: !Ref APIGatewayUrl
-          - Name: VIDEOS_SERVICE_URL
-            Value: !Ref APIGatewayUrl
+          - Name: API_GATEWAY_URL
+            Value: !Ref APIGatewayUrl          
           - Name: DEPLOYED_REGION
             Value: !Ref AWS::Region
           - Name: PINPOINT_APP_ID

src/README.md

@@ -1,6 +1,8 @@
-# Local Development Instructions
-
 > [!IMPORTANT]  
-> The documentation has now moved to a new location: https://docs.retaildemostore.retail.aws.dev
-> 
-> [Main documentation](https://docs.retaildemostore.retail.aws.dev)
+> The documentation is now supported by [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/) 
+>
+> You can read / browse directly on github [here](../docs/index.md)
+>
+> Alternatively you can clone the repo and run mkdocs locally to view the documentation:
+>  * Install [Mkdocs](https://squidfunk.github.io/mkdocs-material/getting-started/)
+>  * run `mkdocs serve` from the root of this repo