Authorization is the process of validating what a user can access. In Amplify Studio you can specify authorization rules that limit individual user or group access to create, read, update, or delete operations on your data. Amplify Studio supports owner, public, private, and group based authorization at the model level. When an authorization directive is added to a type, all fields of the type are made available to that mode by default.
As you create a data model for your app, you can use the Inspector Panel on the right side of the Data modeling page to set authorization rules.
- Launch Studio for an app
- On the Set up menu, choose Data.
- On the Data modeling page, locate the Authorization mode menu in the upper right corner.
- Choose one of API Key, Cognito user pool, or IAM.
Skip ahead to set up authorization rules for the bookstore app, or learn about the different authorization modes below.
The type of authorization rules that you are able to set depends on the authorization mode that you specify. There are three available authorization modes - API_KEY, Cognito User pools, and IAM.
The API key is the default authorization mode when you first deploy a data model. API Keys are recommended for development purposes or use cases where it is safe to provide public access to an API without specific authentication requirements (i.e. guest users). It is recommended to use API keys when you are getting started with the API development, want to iterate quickly, and don’t want to worry about more complicated authorization methods. Applications expected to be long-lived and widely distributed should not use API keys unless you have use cases where all or part of the application will always support guest access. API keys are valid for 30 days before they need to be rotated.
Amplify Authentication is powered by Amazon Cognito User Pools, a fully managed user directory. This the preferred authorization mode with Amplify as it provides finer grained access to your models - scope access to any signed-in user, groups, and owners. Cognito provides a secure way to exchange JWT tokens from User Pools with temporary AWS credentials that allow you to interact with other AWS services.
With the IAM authorization mode, requests are signed using the AWS Signature Version 4 Signing Process. The IAM public authorization mode is primarily used when your application needs to provide guest (public) access to your data. Guest access is accomplished with IAM using Amazon Cognito Identity Pools unauthenticated identities. The IAM private authorization mode is a great fit when used with backend systems (e.g.: Amazon EC2 instances or AWS Lambda) that can be securely configured with AWS credentials.