Managing Identity and Securing Your Mobile and Web Applications with Amazon Cognito : Level 300
Stephen Liedig, Solutions Architect, Amazon Web Services
** Note: These are notes taken from various sessions and the keynote of the 2017 AWS Public Sector Summit held in Canberra, Australia. The information might be slightly unstructured, and the photos might be a bit raw.
Note: The level 300 sessions were being squashed into short sessions, as a consequence the presenters were really under some pressure to zoom through the content. As a result, I found it difficult to make notes and listen at the same time in an effective manner.
Development: Mobile, Apps and Identity
Rapid Pace of Delivery / This presentation
Pretty much as you’d expect
Tailored user experience
Manage user lifecycles
Managing Identity Infra is difficult
SAML federation (other STSes)
Built-in user pools
Syncs data in states
Cognito Use Cases
* Apis (API Gateway)
* B2E (employees)
* SAML supported fed
* AWS resources
Don’t store auth inline in app data stores
Only store verification identifiers
Other auth types?
Answer: Cognito User Pools
API driven, OOTB
Flows can be extended with Lambda
Create custom attributes, per-application permissions, password policies and groups
Event based wiring, for extension. Customize messages (e.g SMS, email)
Hosted UI – new –
Customize with CSS.
I wonder what they do here
Have to create custom authorizers
User flow: uses codes (tokens?). JWT
Interesting. That’s how you pass custom attributes
RLS: Why not OAuth2?
Scopes are defined for grouping claim rules. Passed in HTTP Auth header.
Secure at resource level.
HTTP verbs, resources can be secured
Cached credentials for up to one hour.
Cognito User pool is a good choice for blanket authentication
Federated Identities (use SDKs and AWS APIs)
No embedding credentials
Another option: RBAC
FURTHER customization: look for claims within tokens, e.g custom attributes and map to groups/permissions
Active Directory – SAML support
Configure Federation claim mappings directly to Cognito user pools
I wonder how this effects user management
RLS: The presenter’s nerves are getting to him. He’s going OK, maybe he feels rushed?
Use API gateway to secure backend resources
RLS: Interesting, they don’t like WS-Fed? SAML, JWT is a bit old school?
EC2 Instance roles
RLS: Interesting. I’ve built this before with IdentityServer
Can use Lambda too.
RLS: Quite a few things left to discuss… but hard in 30 mins to cover it all.