Managing Identity and Securing Your Mobile and Web Applications with Amazon Cognito : Level 300

Stephen Liedig, Solutions Architect, Amazon Web Services

** Note: These are notes taken from various sessions and the keynote of the 2017 AWS Public Sector Summit held in Canberra, Australia.  The information might be slightly unstructured, and the photos might be a bit raw.

Note: The level 300 sessions were being squashed into short sessions, as a consequence the presenters were really under some pressure to zoom through the content.  As a result, I found it difficult to make notes and listen at the same time in an effective manner.

Development: Mobile, Apps and Identity

Amazon Cognito

Rapid Pace of Delivery / This presentation
Why identity?
Pretty much as you’d expect

Federation
Tailored user experience
Access controls
Manage user lifecycles
Managing Identity Infra is difficult

Nothing surprising

SAML federation (other STSes)
Built-in user pools

Syncs data in states
Secure APIs

Cognito Use Cases
  *   IoT
  *   Apis (API Gateway)
  *   B2C
  *   B2E (employees)
  *   B2B
  *   SAML supported fed
  *   AWS resources
Don’t store auth inline in app data stores
Abstract identities

Only store verification identifiers
Other auth types?

Best practices
Answer: Cognito User Pools

API driven, OOTB
Flows can be extended with Lambda
Create custom attributes, per-application permissions, password policies and groups

Event based wiring, for extension.  Customize messages (e.g SMS, email)

Hosted UI – new –

Customize with CSS.

I wonder what they do here

No authorization
Have to create custom authorizers
User flow: uses codes (tokens?). JWT
Interesting.  That’s how you pass custom attributes

RLS: Why not OAuth2?
Scopes are defined for grouping claim rules.  Passed in HTTP Auth header.

Secure at resource level.

HTTP verbs, resources can be secured
Within policy

Cached credentials for up to one hour.

Cognito User pool is a good choice for blanket authentication
Federated Identities (use SDKs and AWS APIs)

No embedding credentials

Another option: RBAC
FURTHER customization: look for claims within tokens, e.g custom attributes and map to groups/permissions

Active Directory – SAML support

Social Media

Configure Federation claim mappings directly to Cognito user pools
I wonder how this effects user management

Looks familiar
RLS: The presenter’s nerves are getting to him.  He’s going OK, maybe he feels rushed?

Use API gateway to secure backend resources
RLS: Interesting, they don’t like WS-Fed?  SAML, JWT is a bit old school?
Authenticating systems
EC2 Instance roles

RLS: Interesting.  I’ve built this before with IdentityServer

Can use Lambda too.

RLS: Quite a few things left to discuss…  but hard in 30 mins to cover it all.