Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amazon Cognito Deep Dive

1,418 views

Published on

by Fritz Kunstler, Sr. AWS Security Consultant AWS

Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.

  • Be the first to comment

Amazon Cognito Deep Dive

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Amazon Cognito Overview Fritz Kunstler Senior Consultant, AWS Security
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Identity is mission critical for applications Authentication User ManagementAuthorization § Manage user lifecycles § Store and manage user profile data § Monitor engagement § Protect data and operations § Provide fine-grained access control § Sign in users § Enable federation with enterprise identities § Enable federation with social identities User Identity
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Implementing token-based authentication • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Your User Pools Add user sign-up and sign- in easily to your mobile and web apps without worrying about server infrastructure Serverless Authentication and User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory 1 2 3
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign-In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one- time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Messages Custom message Advanced customization and localization of messages NEW
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Key Features in Amazon Cognito User Pools Built-in, Customizable User Interface for Sign up / Sign in OAuth 2.0 SupportFederation with Facebook, Login with Amazon, Google, and SAML providers 1 2 3
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Built-in, Customizable User Interface • Upload your own logo and adjust CSS properties to fit your style and branding
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation with Cognito User Pools • Built-in integrations with identity providers • Social: Facebook, Google, Login with Amazon • Corporate via SAML 2.0 • Map user attributes into User Pool profiles • Universal directory with common set of profiles and tokens for all users Cognito Tokens Cognito User Pool
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Support for OAuth 2.0 in Cognito User Pools • OAuth 2.0 flows: • Authorization code • Implicit • Client credentials • Custom scopes defined for resource servers
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito and Amazon API Gateway Native Support Custom Authorizer Function Control access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges Configure API Gateway to accept A) ID tokens to authorize users based on their existence in a user pool B) Access tokens to authorize users based on OAuth2.0 scopes 1 2 Amazon Cognito Identity Management Amazon API Gateway Lambda micro services AWS Lambda
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Importing Existing Users Batch Imports § Import users by uploading .csv files § Users will create a new password when they first sign-in § Each imported user must have an email address or a phone number One-at-a-Time Migration § New Lambda trigger integrates migration into the sign in workflow and retains existing passwords § App first tries to sign in via Cognito, if user does not exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito Prior IdP
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito Federated Identities (Identity Pools) • Exchanges tokens from authenticated users for AWS credentials to access resources such as S3 or DynamoDB • You can define rules for mapping users to different IAM roles to manage permissions • Provides an identity pool id to uniquely identify users Cognito Identity Pool AWS Credentials / / etc token Mobile or web app DynamoDB S3 API GW Access backend resources - tied to IAM role 1 3 2
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Two Ways to Federate with Amazon Cognito Cognito User Pools Cognito Identity Pools • Handles the IdP interactions for you • Provides profiles to manage users • Provides OpenID Connect and OAuth2.0 standard tokens • Priced per monthly active user • Provides AWS credentials for accessing resources on behalf of users • Supports rules to map users to different IAM roles • Free
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Authorization Scenarios Standalone Identity Provider Amazon API Gateway AWS Credentials Resources • OIDC and OAuth 2.0 tokens from User Pools can be used directly to access backend resources CUP Token CUP Token CUP Token CUP Token AWS IAM AWS Credentials AWS Services S3DDBLambda • User Pool tokens authorize requests via Amazon API Gateway • Token claims can be inspected • Temporary AWS credentials provide access to AWS services • Users can be mapped to different roles and policies API GW
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito for Authentication and Access Get AWS credentials Cognito Identity Pool DynamoDB S3 Access AWS Services Federating IdP Cognito User Pool• User Pools authenticate users and returns standard tokens • User Pool tokens are used to access backend resources • Identity Pools provide AWS credentials to access AWS services Authenticate 3 CUP Token1 IdP Token 2 Redirect / Post back CUP Token 5 6 Access Serverless BackendCUP Token API GW 4 Lambda
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Advanced Security Features Beta Protections against 1. Compromised credentials 2. Anomalous sign-in attempts
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Advanced Security: Compromised Credentials Detect, in real-time, the reuse of compromised credentials as users sign-up, sign-in, or change their password Choose whether to block users from reusing compromised credentials.
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Advanced Security: Adaptive Authentication Detect anomalies during sign-in events including: o Sign-in from previously unseen or atypical location, from previously unknown device o Sign-in from IP addresses with a high number of failed sign-in attempts o Sign-in from malicious IP addresses. Choose factors to secure sign-in requests for a given risk level o Factors include SMS and TOTP (e.g. Google Authenticator) Alert users to suspicious sign-in attempts
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Advanced Security: Reporting View aggregate metrics on the threats detected by each feature List users against whom threats were detected, and recent sign-in activity for users.
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito Compliance
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

×