AWS Summit 2017 – Managing Identity and Securing Your Mobile and Web Applications with Amazon Cognito


Managing Identity and Securing Your Mobile and Web Applications with Amazon Cognito : Level 300

Stephen Liedig, Solutions Architect, Amazon Web Services

** Note: These are notes taken from various sessions and the keynote of the 2017 AWS Public Sector Summit held in Canberra, Australia.  The information might be slightly unstructured, and the photos might be a bit raw.

Note: The level 300 sessions were being squashed into short sessions, as a consequence the presenters were really under some pressure to zoom through the content.  As a result, I found it difficult to make notes and listen at the same time in an effective manner.

Development: Mobile, Apps and Identity

Amazon Cognito

Development Mobile and Identity
Rapid Pace of Delivery / This presentation
Why identity?
Pretty much as you’d expect

Development Mobile and Identity_1
Federation
Tailored user experience
Access controls
Manage user lifecycles
Managing Identity Infra is difficult

Development Mobile and Identity_2
Nothing surprising

Development Mobile and Identity_3
SAML federation (other STSes)
Built-in user pools

Development Mobile and Identity_4
Syncs data in states
Secure APIs

Development Mobile and Identity_5
Cognito Use Cases
  *   IoT
  *   Apis (API Gateway)
  *   B2C
  *   B2E (employees)
  *   B2B
  *   SAML supported fed
  *   AWS resources
Don’t store auth inline in app data stores
Abstract identities

Development Mobile and Identity_6
Only store verification identifiers
Other auth types?

Development Mobile and Identity_7
Best practices
Answer: Cognito User Pools

Development Mobile and Identity_8
API driven, OOTB
Flows can be extended with Lambda
Create custom attributes, per-application permissions, password policies and groups

Development Mobile and Identity_9
Event based wiring, for extension.  Customize messages (e.g SMS, email)

Hosted UI – new –

Development Mobile and Identity_10
Customize with CSS.

Development Mobile and Identity_11
I wonder what they do here

Development Mobile and Identity_12
No authorization
Have to create custom authorizers
User flow: uses codes (tokens?). JWT
Interesting.  That’s how you pass custom attributes

Development Mobile and Identity_13
RLS: Why not OAuth2?
Scopes are defined for grouping claim rules.  Passed in HTTP Auth header.

Development Mobile and Identity_14
Secure at resource level.

Development Mobile and Identity_15
HTTP verbs, resources can be secured
Within policy

Development Mobile and Identity_16
Cached credentials for up to one hour.

Development Mobile and Identity_17
Cognito User pool is a good choice for blanket authentication
Federated Identities (use SDKs and AWS APIs)

Development Mobile and Identity_18
No embedding credentials

Development Mobile and Identity_19
Another option: RBAC
FURTHER customization: look for claims within tokens, e.g custom attributes and map to groups/permissions

Development Mobile and Identity_20
Active Directory – SAML support

Social Media

Development Mobile and Identity_21
Configure Federation claim mappings directly to Cognito user pools
I wonder how this effects user management

Development Mobile and Identity_22
Looks familiar
RLS: The presenter’s nerves are getting to him.  He’s going OK, maybe he feels rushed?

Development Mobile and Identity_23
Use API gateway to secure backend resources
RLS: Interesting, they don’t like WS-Fed?  SAML, JWT is a bit old school?
Authenticating systems
EC2 Instance roles

Development Mobile and Identity_24
RLS: Interesting.  I’ve built this before with IdentityServer

Development Mobile and Identity_25
Can use Lambda too.

Development Mobile and Identity_26
RLS: Quite a few things left to discuss…  but hard in 30 mins to cover it all.


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 18 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>