What I liked:
- Complete walk through AWS Cognito flow: Authorise with DynamoDB, ask Cognito for token and ID, ask Cognito for AWS credentials derived from an AWS role that lasts an hour.
- Independent IAM checkup that is run by AWS: The APP tries to act without running any authorisation logic in itself. The authorization logic is embedded in the AWS policy on each resource the APP tries to reach and cross checked with the AWS role the session got via Cognito.
- Strong anti data theft system: The access policy allows access to items only if the item's user ID attribute matches the current Cognito session ID. So user A cannot dump details of user B…
- AWS API Gateway can automatically create a client SDK based on your app for many program languages.
- You can hide the fact your SDK uses AWS credentials.
- Integration with Swagger.io as a source repository for API document spec.