AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
•Download as PPTX, PDF•
24 likes•6,580 views
The document discusses Amazon Cognito and how it can be used to authenticate users, manage identity, and synchronize user data across devices. It provides an overview of Cognito's capabilities including support for guest users, developer authenticated identities, and using IAM roles to control access. It also demonstrates how to set up Cognito and integrate the mobile SDK to use Cognito's features in a mobile app.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
Similar to AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia (20)
More from Amazon Web Services
More from Amazon Web Services (20)
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
- 1. AWS Mobile Services : Deep Dive on Amazon Cognito Stefano Buliani (@sapessi) Jinesh Varia (@jinman) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 2. How to build a mobile app today? © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 3. Authenticate users Manage users and identity providers Authorize access Securely access cloud resources Synchronize data Sync user prefs across devices Analyze User Behavior Store and share media Store user-generated photos Media and share them Deliver media Automatically detect mobile devices Deliver content quickly globally Send push notifications Bring users back to your app by sending messages reliably Store shared data Track active users, engagement Store and query fast NoSQL data across users and devices Your Mobile App Track Retention Stream real-time data Manage funnels, Campaign performances Collect real-time clickstream logs and take actions quickly © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 4. Introducing AWS Mobile Services Your Mobile App, Game or Device App AWS Mobile SDK, API Endpoints, Management Console Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector Compute Storage Networking Analytics Databases AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations) Integrated SDK Mobile Optimized Services Mobile Optimized Connectors Core Building Block Services © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 5. Cross-platform, Optimized for Mobile User identity & data synchronization service Fast cross-platform Analytics & reporting Service Powerful Cross-platform Push notification service Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables Recorder that can handle intermittent network connection Easily upload, download to S3 and also pause, resume, and cancel these operations Send email reliably from device Access distributed buffering and queuing service © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 6. Fully Integrated AWS Mobile SDK • Common authentication mechanism across all services • Automatically handle intermittent network connections • Cross-platform Support: Android, iOS, Fire OS • Native SDKs optimized for Mobile OS, for example, uses the local offline caching architecture • Reduced memory footprint; Pick and choose the service jars you need © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 7. Authenticate users Manage users and identity providers Authorize access Securely access cloud resources Synchronize data Sync user prefs across devices Analyze User Behavior Store and share media Store user-generated photos Media and share them Deliver media Automatically detect mobile devices Deliver content quickly globally Send push notifications Bring users back to your app by sending messages reliably Store shared data Track active users, engagement Store and query fast NoSQL data across users and devices Your Mobile App Track Retention Stream real-time data Manage funnels, Campaign performances Collect real-time clickstream logs and take actions quickly © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 8. Authenticate users Amazon Cognito (Identity Broker) Authorize access AWS Identity and Access Management Synchronize data Amazon Cognito (Sync) Analyze User Behavior Store and share media Your Mobile App AWS Mobile SDK Amazon Mobile Analytics Amazon S3 Transfer Manager Deliver media Amazon CloudFront (Device Detection) Send push notifications Amazon SNS Mobile Push Store shared data Amazon DynamoDB (Object Mapper) Stream real-time data Amazon Kinesis (Recorder) Track Retention Amazon Mobile Analytics © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 9. Amazon Cognito © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 10. Amazon Cognito “Your App data is secure, available offline, and kept in sync between devices” Simplifies Identity and Access Management Implement security best practices Securely access all AWS services from Mobile device Cross-device and Cross-platform Sync Synchronize user’s data across devices and platforms Guest Your own Auth Manage users as unique identities across identity providers © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 11. Unique Joe Anna Bob Identities Identity Providers Any Device Any Platform Any AWS Service Amazon Cognito Identity Support Multiple Login Providers Easily integrate with major login providers for authentication. Unique Users vs. Devices Manage unique identities. Automatically recognize unique user across devices and platforms. Helps implement security best practices Securely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management Mobile Analytics S3 DynamoDB Kinesis © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 12. Amazon Cognito for Unauthenticated Identities Guest User Access Securely access AWS resources and leverage app features without the need to create an account or logging in Save Data to the Cloud Save app and device data to the cloud and merge them after login Unique Identifier for Your “Things” “Headless” connected devices can also securely access cloud services. Visitor Preferences Guest Cognito Store EC2 S3 DynamoDB Kinesis © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 13. Use Case: Unique Identity across the web and mobile © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 14. Use case: State transition Users begin their life as guests © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 15. Use case: State transition Later on they register an account • The transition should be seamless © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 16. Use case: State transition Multiple accounts can be linked • You should have a consistent identifier © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 17. Use case: Game State © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 18. Getting Started with Cognito in 3 steps Sign up for AWS Account and login to AWS Management Console Create identitypool for authenticated and unauthenticated users in the AWS Console Download and integrate the Mobile SDK and store and sync user data in a dataset © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 19. Demo: Amazon Cognito Console © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 20. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 21. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 22. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 23. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 24. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 25. Amazon Cognito Security Safeguard AWS Credentials No need to embed credentials in the app anymore. Get least-privileged temporary credentials. Helps implement security best practices Securely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine Set granular access permissions on AWS resources Get fine-grained access control to cloud resources. EC2 S3 DynamoDB Kinesis © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 26. Amazon Cognito Security Architecture Login OAUTH/OpenID Access Token End Users App with AWS Mobile SDK Access Token Pool ID Role ARNs Cognito ID, Temp Credentials Access to AWS Services Cognito Identity Cognito ID (Temp Credentials) S3 Mobile Analytics DynamoDB Developer Broker Cognito Sync Store AWS Management Console © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 27. Developer-Authenticated Identities Your own user authentication system Several apps prefer to have their own username and password instead of public identity providers for authentication. Easily integrate with existing systems Implement GetOpenIdTokeForDeveloperIdentity() using our server-side SDKs like Java, Python, Ruby etc. Manage mappings easily Cognito manages the mappings across login systems (public or private) using a unique Cognito ID Username And Password Your User Authentication System © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 28. Developer Authenticated Identities Cognito Identity Cognito ID (Temp Credentials) S3 Mobile Analytics DynamoDB User Authentication System (Running on AWS or not) Username password OIDC Token End Users Developer App with AWS Mobile SDK Get OpenID Token OIDC Token OIDC Token Pool ID Role ARNs Cognito ID, Temp Credentials Access to AWS Services Broker Cognito Sync Store AWS Management Console © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 29. Amazon Cognito: Authorize Access using AWS IAM © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 30. Amazon Cognito (Identity Broker) Identitypool Identity Providers identitypool Pool of identities that share the same trust policy Web Identity Federation Access Policy Access to AWS Services authenticated identities Unauthenticated Identities AWS IAM Roles AWS Account S3 DynamoDB Get Delete Put © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 31. Access Policy for the IAM Role { "Effect":"Allow", "Action":["s3:*"], "Resource":"*" } { "Effect": ”Deny", "Action": ["dynamodb:*"], "Resource": "*" } { "Effect": "Allow", "Action": [”cognito-sync:*"], "Resource": "*" } Allow Actions: All S3, Sync store Operations Resource: All resources within these services Deny Actions: All DDB Operations Resource: All resources © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 32. Access Policy Restriction { "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject", "s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/*" } { "Effect":"Allow", "Action":["s3:ListBucket","s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME" } { "Effect": "Allow", "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"], "Resource" : [ "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME", "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME/ index/INDEX_NAME" ] } Allow Actions: Certain operations Resource: One bucket, table .. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 33. Access Policy Restriction { "Effect":"Allow”, "Action” ["s3:PutObject","s3:GetObject","s3:DeleteObject”,”s3: ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/Bob/*" } { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":”Bob/"}} } { "Effect":"Allow", "Action":["s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME" } Allow Actions: Certain operations Resource: Within a bucket with specific prefix (user) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 34. Access Policy Restriction (Policy Variables) Allow Actions: All sync operations Resource: Only to that identity { "Effect":"Allow", "Action":"cognito-sync:*", "Resource":["arn:aws:cognito-sync:us-east-1: 123456789012:identitypool/ ${cognito-identity.amazonaws.com:aud}/identity/ ${cognito-identity.amazonaws.com:sub}/*"] } { "Effect": "Allow”, "Action": ["s3:GetObject”,"s3:PutObject”], "Resource": ["arn:aws:s3::: myBucket/amazon/snakegame/ ${cognito-identity.amazonaws.com:sub}"] } Allow Actions: S3 Get/Put operations Resource: Only to a specific part of bucket to that identity © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 35. Synchronize data across devices : Amazon Cognito (Sync) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 36. What have customers told us about “Synchronized Profile” People have multiple devices and want to transition between devices. Implementing a user profile that syncs across devices, OS, apps is hard. It not only has to work when offline, but easy to integrate with existing apps. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 37. Amazon Cognito Sync User Data Storage and Sync Any Platform Identity pool k/v data iOS/Android/FireOS Store App Data, Preferences and State Save app and device data to the cloud and merge them after login Cross-device Cross-OS Sync Sync user data and preferences across devices with one line of code Work Offline Data always stored in local SQLite DB first. Works seamlessly when intermittent or no connectivity © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 38. Amazon Cognito Sync Offline: The client SDK manages a local SQLite data store to allow the app to work even when connectivity is not available. Fast: The methods to read and write data only interact with the local SQLite database. Intelligent Sync: The sync method compares the local version of the data to the cloud sync store, pushes up deltas and pulls down new changes. Flexible Conflict resolution: The sync method first reads the changes then writes its local changes to the cloud sync store By default Cognito assumes that the last write wins. Developers can override and implement their own conflict resolution programmatically Local SQLite Cache © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 39. Sync Data Model Identity Pool: Pool of app users. Can be shared across apps. Identity: An individual user. Consistent across identity providers. Can be a guest user. Dataset: Per user grouping of data. The most granular level of sync. Up to 1MB. Record: Key/Value pair user data AWS Account 1:60 Identity Pool 1:n Identity Identity Identity 1:20 Dataset Dataset Dataset 1:1024 Dataset Dataset Record You Your App Your App Users User Data Container User Data © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 40. Sync Data Model - Example Identitypool1 User preferences Developer has two apps: a game and a productivity app Game state Productivity App Game App AWS Account 1:60 Identity Pool 1:n Identity Identity Identity 1:20 Dataset Dataset Dataset 1:1024 Dataset Dataset Record You Your App Your App Users User Data Container User Data © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 41. Integrating Cognito Sync functionality is dead simple Initialize the CredentialsProvider and CognitoClient provider = new CognitoCachingCredentialsProvider (context, AWS_ACCOUNT_ID, COGNITO_POOL_ID, COGNTIO_ROLE_UNAUTH, COGNITO_ROLE_AUTH, Regions.US_EAST_1); cognito = new CognitoSyncManager (context, COGNITO_POOL_ID, Regions.US_EAST_1, provider); Create or open Dataset and Add Key Values cognito.openOrCreateDataset(datasetName); dataset.put(key, value); Call synchronize on the dataset dataset.synchronize(new SyncCallback(){..}); © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 42. Integrating Cognito Sync functionality is dead simple Initialize the AWSCognitoSyncClient AWSCognitoSyncClient *syncClient = [[AWSCognitoSyncClient alloc] initWithConfiguration: configuration]; Create or open Dataset and Add Key Values DataSet *dataset = [syncClient openOrCreateDataSet:@"myDataSet"]; NSString *value = [dataset readStringForKey:@"myKey"]; [dataset putString:@"my value" forKey:@"myKey"]; Call synchronize on the dataset [dataset synchronize]; iOS © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 43. Simple and predictable pay as you go pricing Amazon Cognito Free Tier (for first 12 months): 1 Million syncs/month + 10GB of storage for Amazon Cognito Thereafter: $0.15 for 10K Syncs $0.15 per GB for storage Number of monthly sync operations 1,000,000 Monthly sync charge (1,000,000 / 10,000) * $0.15 = $15 Sync store space 4.77GB Monthly sync store charge 4.77 * $0.15 = $0.72 Total charge $15.72 © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 44. Summary © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 45. Authenticate users Manage users and identity providers Authorize access Securely access cloud resources Synchronize data Sync user prefs across devices Analyze User Behavior Store and share media Store user-generated photos Media and share them Deliver media Automatically detect mobile devices Deliver content quickly globally Send push notifications Bring users back to your app by sending messages reliably Store shared data Track active users, engagement Store and query fast NoSQL data across users and devices Your Mobile App Track Retention Stream real-time data Manage funnels, Campaign performances Collect real-time clickstream logs and take actions quickly © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 46. Authenticate users Amazon Cognito (Identity Broker) Authorize access AWS Identity and Access Management Synchronize data Amazon Cognito (Sync) Analyze User Behavior Store and share media Your Mobile App AWS Mobile SDK Amazon Mobile Analytics Amazon S3 Transfer Manager Deliver media Amazon CloudFront (Device Detection) Send push notifications Amazon SNS Mobile Push Store shared data Amazon DynamoDB (Object Mapper) Stream real-time data Amazon Kinesis (Recorder) Track Retention Amazon Mobile Analytics © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 47. Key Takeaways Your Mobile App, Game or Device App AWS Mobile SDK, API Endpoints, Management Console Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector Compute Storage Networking Analytics Databases AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations) Integrated SDK Mobile Optimized Services Mobile Optimized Connectors Core Building Block Services © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 48. Key Takeaways: Amazon Cognito Your Mobile App, Game or Device App AWS Mobile SDK, API Endpoints, Management Console Amazon Cognito Amazon Mobile Analytics Amazon SNS Mobile Push Cross Platform and Optimized for Mobile Flexibility And Freedom Fully integrated and easy to get started Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector of Choice Compute Storage Networking Analytics Databases AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations) Integrated SDK Mobile Optimized Services Mobile Optimized Connectors Core Building Block Services © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 49. Get Started Today With Cognito for Free! Amazon Cognito Free Tier (for first 12 months): 1 Million syncs/month + 10GB of storage Amazon Cognito: http://aws.amazon.com/cognito/ FAQ: http://aws.amazon.com/cognito/faqs/ AWS Mobile blog: http://mobile.awsblog.com/ AWS Mobile SDK: http://aws.amazon.com/mobile/sdk/ Cognito developer forum: https://forums.aws.amazon.com/forum.jspa?forumI D=173 http://aws.amazon.com/mobile © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 50. Thank You! Jinesh Varia, Stefano Buliani @jinman, @sapessi © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Editor's Notes
- The moment you have more than one device, the cloud becomes the logical place to do work and store stuff. AWS provides a great platform for mobile developers regardless of where the device comes from, what operating system it runs, and what a developer wants to do with it.
- Authenticate Users: Lets start from the users of your app. The most important aspect for you when building a mobile app is to deliver an engaging experience. For that you would want to know who the user is. In most cases you would use third party identity providers like Amazon, Facebook or Google. However, often a login screen proves to be a point of friction, so you would want users to be able to skip any authentication and directly interact with the app. But at the same time when users do decide to login, they expect their preferences, settings, progress to carry over. Synchronize Data: Users expect their preferences or profiles to be saved from one session to the next. E.g if you have a game, they expect to resume the game where they last left off. To make matters more complicated, your app or game may be available across platforms – iOS, Android, FireOS. If that is the case, users would expect their data, preferences, profile etc. to be automatically synced and available across devices and platforms. E.g with Amazon Instant Video, users can pause a video they are watching on their Kindle Fire and resume on iPad Store and share assets and media: Appstores generally have a limit on the size of the app that can be downloaded over WAN. You would want to store the app’s assets in a cloud storage so you can reduce the size of the app. In additional may want to store your users data like pictures and video in the cloud. Store shared data: Often you would want to store app data e.g settings in form of key-value pairs in NoSQL database and query it for fast access. Push Notifications: Coming back to user engagement, push notifications are a great way to engage your users. You can leverage Push Notifications to remind users of a special ongoing promotion, breaking news, or an update to your app. It’s a great way to bring the users back to your app. Analyze App Usage & Track Retention: Once you deploy your app, you would want track how your app is performing. You would want to track the usage of your app and also how well you are able to track retention. Some of the common things that you would want to track are active users, session duration, Revenue related metrics like revenue per daily active users, etc. Analytics User Behavior: You would also want to track user behavior or how users interact with your app. Do they follow the UX flow that you would expect, where would they drop off in your app etc. Stream data in real-time: You would want to collect large amount of custom metrics from your app for off-line analysis like click-stream logs. Authorized Access: Most importantly you want to provide secure and authorized access to cloud services. Now lets see how AWS can help you in each of these areas
- Such services are fully integrated with the rest of AWS offering, are optimized for mobile use cases, are accessible via a single Mobile SDK and share the same scalable, on-demand, global infrastructure of all our other AWS services.
- Amazon Cognito is a simple user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Amazon Mobile Analytics is a service that lets you easily collect, visualize, and understand app usage data at scale. Amazon S3 as you know is cloud storage for the Internet. We make it easy for you to access S3 from your mobile app using a S3 Transfer Manager DynamoDB is a fast, fully managed NoSQL database as a service that makes it simple and cost-effective to store and retrieve any amount of data, and serve any level of request traffic. The Amazon DynamoDB Object Mapper simplifies access to DynamoDB by enabling you to map your client-side classes to Amazon DynamoDB tables without having to write the code to transform objects into tables and vice versa. Amazon Kinesis is a fully managed service for real-time processing of streaming data at massive scale. The Kinesis Recorder batches requests to handle intermittent network connection and enable you to record events even when the device is offline. All this is bundled in the AWS Mobile SDK. The AWS Mobile SDK helps you build high quality mobile apps quickly and easily. It provides access to services specifically designed for building mobile apps, mobile-optimized connectors to popular AWS data streaming, storage and database services, and access to a full array of other AWS services.
- These services are optimized for mobile OS and make it dead easy to get started when using the SDK. They add a lot of functionality for example Kinesis and Analytics automatically buffer records and events to handle intermittent connection. Kinesis support in the SDK, you can directly ingest large amounts of streaming data from around the world to Kinesis Stream which automatically handles shard. SDK is a great wrapper to handle distributed systems issues, such as automatic retries and so on. Our Mobile SDK adds even more functionality above the normal SDK such as resume, cancel in case of S3 etc.
- How to build an app 1. Authentication 2. Authorization 3. Data Storage and Delivery (Upload and Download) 4. Data Analytics 5. Data Synchronization 6. Push Notifications 7. Shared Data 8. Stream real-time data 9.
- How to build an app 1. Authentication 2. Authorization 3. Data Storage and Delivery (Upload and Download) 4. Data Analytics 5. Data Synchronization 6. Push Notifications 7. Shared Data 8. Stream real-time data 9.
- Amazon Cognito is a simple user identity and data synchronization service that makes it easy to securely manage your users data across their mobile devices. You can create unique identities for your users with information from a number of public login providers You can save application data locally on the device and then securely sync and save this data to the cloud so your application can work online and offline. You can save any kind of data in Key/Value pairs such as application preferences or game state in the AWS Cloud without having to write any backend code or manage any infrastructure. This means you can focus on creating great experiences instead of having to worry about building and managing a backend solution to handle identity, network state, storage, and sync.
- One of the key benefits of Amazon Cognito is its Identity broker component. It creates a unique identifer and matches it when user’s login with any of the login providers. Developers have the flexibility to choose any login provider, in v1, we support G+, Amazon and Facebook and you can easily integrate using the SDK. We focus on users and not login providers and manage the user preferences for that users. Implementing AWS security best practices for accessing cloud resources with Amazon Cognito is easy. Amazon Cognito gives each app a set of temporary, limited privilege AWS credentials for each app user to access all AWS services.
- We have seen that 90% users simply consumers of data and only 10% are actually content creators. Unauthenticated guest users are users just like logged in users. We should focus more on them, build services for them, and treat them like users, not second class citizens. Amazon Cognito simplifies the way your application can access AWS resources in a secure manner, following AWS security best practices, even when your application users are not authenticated. Amazon Cognito creates a random, unique identifier for each unauthenticated guest so you can start saving application data for those users and also leverage the temporary, limited privilege credentials Amazon Cognito provides to access other AWS resources, such as Amazon S3 and Amazon DynamoDB. When your users decide to authenticate using one of the supported public login providers, Amazon Cognito ensures the data you saved against the unauthenticated profile is now associated with the new authenticated profile removing the complexity of managing user conversion. By registering an unauthenticated user or by sending a login provider token to Amazon Cognito, your application receives a set of temporary, limited privilege credentials from Amazon Cognito to access your AWS resources. Amazon Cognito takes care of all the steps necessary to create a unique identifier for your app’s users and retrieve the AWS credentials. Incorporating AWS security best practices now takes just a few lines of code.
- And Lets first touch on the security aspect. We have seen a lot of developers tend to embed their AWS credentials in their app. These credentials are compromised if the app is decompiled. Amazon Cognito, eliminates the need to embed you AWS credentials in the app. Your mobile app authenticates with the identity provider (IdP) using the provider’s SDK. Once the end user is authenticated with the identity provider, the OAuth or OpenID Connect token returned from the identity provider is passed by your app to Amazon Cognito, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials. Amazon Cognito supports the creation and token vending process for unauthenticated users as well as authenticated users. Amazon Cognito creates a random, unique identifier for each unauthenticated user. You can use the unique identifier generated for your app users in your Identity and Access Management policies. For example you can create a policy for an S3 bucket that only allows a particular user access to their own folder thus setting granular access permissions on AWS resources.
- Architecturally, Amazon Cognito has two parts: Cognito identity Broker and Cognito Sync Store. Users first login with login provider of their choice and App with SDK does the rest. In the past, to access cloud services, developers embed aws credentials which is access key id and secret key within the application, this is highly unsecure because it is easy to unip the apk file and get access to keys. Now we make it extremely secure by not only create temprory creds that are valid only for one hour but also limiting the access to other data. The users only have access to store and sync in their own dataset. Once you get the temp cred, you can access other AWS services like S3 to store video, for example, DynamoDB to store shared data like leaderboards, kinesis to store streaming data logs and so on.
- Our policy allows access to all
- We can restrict to the bucket for S3
- We can add a restriction by username/id but our policy is for everyone who assumes the role
- We can add a restriction by username/id but our policy is for everyone who assumes the role
- As we all know the number of devices per user is going down any time soon. Customers have told us users with multiple devices want to be able to transition between devices seamlessly. They want a roaming synchronized app profile so they can pick up their tablet and continue playing a game at the same level they achieved on their phone. Turns out sync at scale is an hard problem to solve. Additionally, they want to be able to access their profile even when their device is offline. To date, developers wanting to implement roaming profile functionality in their apps have had to roll their own solution or use a system tied only to a particular login provider. This either requires the developer to do more work or to limit their cross platform story.
- With Amazon Cognito developers can synchronize application data across an end user’s devices with a single line of code. With Amazon Cognito, developers can securely store application data, such as preferences and game state in the AWS cloud. With synchronized application data, developers can give your users a consistent, unified experience on their app across all of their mobile devices. Developers can use Amazon Cognito directly from their mobile app without building or maintaining any backend infrastructure. Amazon Cognito handles secure application data storage and sync, enabling them to focus on their application experiences, instead of the heavy lifting of creating and managing a user application data sync solution. It manages the complexity of conflict resolution and intermittent network connectivity by managing offline cache ensuring your application can always deliver a great user experience. Each data set in the Amazon Cognito sync store can be synchronized on all devices associated with an identity simply by calling the synchronize () method.
- One identitypool across advertizers Cognito id becomes a cookie id
- Amazon Cognito has a simple pay as you go pricing plan, with no upfront costs. You pay only for what you use. Authenticating users and generating unique identifiers is free with Amazon Cognito. Upon sign-up, new AWS customers receive 10 GB of cloud sync store and 1,000,000 sync operations per month. Charges are based on the total amount of data saved in the Amazon Cognito cloud sync store and the number of sync operations performed. Amazon Analytics is almost free with 100 million events/month and just a 50 cents for millionevents there after.
- How to build an app 1. Authentication 2. Authorization 3. Data Storage and Delivery (Upload and Download) 4. Data Analytics 5. Data Synchronization 6. Push Notifications 7. Shared Data 8. Stream real-time data 9.
- How to build an app 1. Authentication 2. Authorization 3. Data Storage and Delivery (Upload and Download) 4. Data Analytics 5. Data Synchronization 6. Push Notifications 7. Shared Data 8. Stream real-time data 9.
- Such services are fully integrated with the rest of AWS offering, are optimized for mobile use cases, are accessible via a single Mobile SDK and share the same scalable, on-demand, global infrastructure of all our other AWS services.
- Such services are fully integrated with the rest of AWS offering, are optimized for mobile use cases, are accessible via a single Mobile SDK and share the same scalable, on-demand, global infrastructure of all our other AWS services.