Implementing 2FA Authentication on my API Gateway with CDK?

Question

Hey all! I have deployed an API Gateway with CDK. It looks like this:

```
 const apiKey = new apigateway.ApiKey(
      this,
      `NAME`,
      {
        description: "DESCRIPTION",
        enabled: true,
      }
    );

const api = new apigateway.RestApi(
      this,
      `NAME`,
      {
        domainName: {
          domainName: endpointName,
          certificate: certificate,
        },
        restApiName: `NAME`,
        description: "DESCRIPTION",
        endpointTypes: [apigateway.EndpointType.REGIONAL],
        deployOptions: {
          stageName: "prod",
        },
      }
    );

const usagePlan = new apigateway.UsagePlan(
      this,
      `NAME`,
      {
        name: `NAME`,
        apiStages: [
          {
            api: api,
            stage: api.deploymentStage,
          },
        ],
      }
    );

new apigateway.CfnUsagePlanKey(
      this,
      `NAME`,
      {
        keyId: apiKey.keyId,
        keyType: "API_KEY",
        usagePlanId: usagePlan.usagePlanId,
      }
    );
```
But now I would also like users to use 2FA (SMS, app) to authenticate before using the API. I guess they have to login and get some sort of token? 
Is there example code for this? Can I use Google SSO or would it be easier to create a fresh cognito user pool, I don't really mind both.
Am I going to have to implement a custom authenticator code? And an /login endpoint I would assume? 
Does anybody have any docs/blogs/tips to create this. Would love to hear back. Thanks in advance.

Answer

You can add MFA or Security challenges to access your AWS API Gateway by using Cognito and Lambda Authorizers.

Here is a blog showing the solution:
https://aws.amazon.com/blogs/security/implement-step-up-authentication-with-amazon-cognito-part-1-solution-overview/

Implementing 2FA Authentication on my API Gateway with CDK?

Relevant content