How to exempt certain resource from custom authorization in AWS API Gateway ?

Question

I have configured custom authorization in API gateway for a proxy resource but my requirement is to exempt few APIs from authorization, but I don't want to configure a new API in API gateway because I'm trying to design a proxy through API gateway.

For Example, the API /server/ver1.0/rest/{proxy+}, this is my REST API configured in API gateway which goes through custom authorizer and then if it's successful then it invokes backend http service.

But I would like to exempt the API - /server/ver1.0/rest/acc/reg from authorization.

Answer 1

Not sure if this directly answers the OP since we do not proxy our requests to a backend API but use Lambda for all API calls, but we still need to authorize only part of our API. This is how we've done it:

We have an API deployed with SAM and in this project we use a custom Authorizer for most of the api.

MonitorApi:
    Type: AWS::Serverless::Api
    Properties:
      Cors:
        AllowMethods: "'OPTIONS,POST,GET,PATCH,DELETE'"
        AllowHeaders: "'*'"
        AllowOrigin: "'*'"
      StageName: !Ref AppStage
      GatewayResponses:
        DEFAULT_4xx:
          ResponseParameters:
            Headers:
              Access-Control-Expose-Headers: "'*'"
              Access-Control-Allow-Headers: "'*'"
              Access-Control-Allow-Origin: "'*'"
      Auth:
        DefaultAuthorizer: LambdaTokenAuthorizer # This authorizer is used on the API
        AddDefaultAuthorizerToCorsPreflight: false
        Authorizers:
          LambdaTokenAuthorizer:
            FunctionArn: !GetAtt AuthorizeFunction.Arn
            Identity:
              Header: Authorization
              ReauthorizeEvery: 300

For some resources that we need to make publicly available we override this on the function level, like this:

  SystempingFunction: # Systemping service in API
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: monitor/
      Handler: systemping.handler
      Runtime: nodejs12.x
      Timeout: 20
      Events:
        SystempingEvent:
          Type: Api
          Properties:
            Auth:
              Authorizer: NONE # Turn off Authorization for this function
            Path: /systemping
            Method: get
            RestApiId: !Ref MonitorApi

Answer 2

Finally, I have solved the issue the same way I described in my question,

As there is no way that AWS gives any programmatic way to omit a specific condition, we are left with below options :

1. Create a separate API - In this way, AWS would give a preference to more specific API than a generic one i.e. API /server/ver1.0/rest/acc/reg would be given a preference to /server/ver1.0/rest/{proxy+} 2)

2. Modify custom authorizer lambda function to check each and every URL pattern, but this makes lambda custom auth much complex and less maintainable.

I have adopted the first option as its more cleaner and easier to maintain, moreover I didn't want to pollute my lambda custom authorizer with various URL patterns