Secure your applications with the AWS Cognito service

Vinoo PalayoorVinoo Palayoor
4 min read

Identity access management is a critical component of user experience as apps modernize into various mediums like web, mobile, connected TVs, and other devices. Our identities need to be secure, but we need to make it easy for users by not having them sign into multiple applications.

AWS Cognito is a service that simplifies identity management for apps built in the AWS ecosystem. It facilitates the authentication of users and the authorization of those users to access resources in your application.

Let us say you have a single-page web application that needs to access an AWS resource like a private S3 bucket and display the contents to the user on the page. Like many modern web applications, you want your users to leverage single sign-on (SSO) and use third-party identity providers like Google, Apple, or Facebook to log in to your app. You could implement the Oauth flow in your application to get an access token. With that token, your app has validated an identity, but that's it — you can't use this token to get access to AWS services automatically.

If you want a deep dive into OAuth 2.0, this talk from Nate Barbettini demystifies this standard extremely well.

To gain access to AWS services, even with an OAuth access token, your applications will still need separate access keys or will have to assume a role with the appropriate privileges to provide access to services like AWS S3. This is fine for a single user with relatively uniform permissions but wouldn't scale as well for many different user types, each with their own fine-grained access requirements like access to only specific folders in S3 by the user. It would help if you implemented something that can exchange that token for the specific privileges required to access S3. That is where the AWS Cognito service comes in. Your application can take the access token you have received directly from Cognito or via Google, Facebook, Amazon, or any other provider and exchange it for temporary AWS credentials.

It is like the key card you use at a hotel; you check in at the front desk, verify your identity, and they hand you a key card. That key card can access your room and the hotel gym, but you cannot get into the business office with that key.

Enough of the overview; let's get into the service in more detail. AWS Cognito has two main components — user pools and identity pools. In the simplest terms, user pools authenticate your users, and identity pools authorize what those users can do and access.

  1. User pools are a pool of users sourced from Cognito itself or a third-party identity provider. Cognito offers some other services in the user pool, such as a customizable web login UI and security features (i.e., MFA, checks for compromised credentials, account takeover protection, and phone and email verification.) The critical thing to remember is that when an application interacts with a user pool, it is granted a user access token (a.k.a. JWT access token) that can access internal app resources (things outside of AWS that you manage.) While you cannot use this to access most AWS services, the one exception is API Gateway, where the token can be used to provide access to APIs or Lambda functions.

  2. Identity pools are constructs that swap authenticated or unauthenticated identities for valid temporary AWS credentials. By taking the access token granted to the application by the user pool, it can interact with Cognito and exchange the access token for temporary AWS credentials with access to AWS resources.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html

So why should you use Cognito in your application?

Cognito provides a comprehensive Identity access management framework that follows users through their authentication and into the broader AWS ecosystem. With IAM embedded into Cognito, an authenticated user can exchange their token (that key) for an IAM role and policy with the appropriate AWS privileges for that user — nothing more and nothing less. The Cognito service has a rich set of SDK libraries and APIs to give developers full access to the service's capabilities.

I hope this helps clarify the AWS Cognito service and how you might use it in your next web and mobile applications!

0
Subscribe to my newsletter

Read articles from Vinoo Palayoor directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Vinoo Palayoor
Vinoo Palayoor

☁️ I am a 12X AWS Certified Cloud architect and enjoy building serverless cloud native applications. 📈 I am energized by using data in unique ways to drive business decision making. ⭐I love to learn about tech and share my knowledge and experience.