Which AWS Appsync Authorization mode should you use?
There are four authorization modes you can use with AWS AppSync. You probably want to use IAM with an Identity Pool for "fullest security". COGNITO_USER_POOL is a solid option for less complex applications as well.
- COGNITO_USER_POOL
- IAM
- API_KEY
- OPENID_CONNECT
COGNITO_USER_POOL
When you have a less complex use case and aren't using Identity Pools to lock down user access to resources using per-user IAM roles. (Your lambdas still need access to your resources).
IAM
You have per-user IAM roles and want to use those instead of lambda-wide IAM roles. You can use the user's IAM role instead of the lambda's to see if a user can access DynamoDB (for example).
API_KEY
Good for testing and prototyping. You only get 50 API keys per AppSync API, so it's better to go to production with a different option
OPENID_CONNECT
If you're using a third party provider such as Auth0, you may want to use this option to integrate with Auth0.