The document discusses authentication and authorization solutions from Amazon Web Services. It describes Amazon Cognito for authentication and managing user identities, along with built-in authorization. It also introduces Amazon Cloud Directory for advanced authorization with hierarchical permissions and relationships between identities and resources. The document provides examples and use cases for how customers can use these services together to manage user access for their applications.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Cloud-Scale Authentication and Advanced Authorization with
Amazon Cognito and Amazon Cloud Directory
Mahendra Chheda, Principal Product Manager
Tim Hunt, Senior Product Manager

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Two Pillars of Securing User Access
Authentication Authorization
Confirming that
users are whom
they claim to be
Determining what
actions and access
users should have

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Authentication with Amazon Cognito

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Federation
Amazon Cognito Overview
Web and Mobile
Apps
Amazon
Cognito
Developers focus on what
is special about their app
Cognito handles auth
and identity
Managed User Directory
Hosted UI
AWS Credentials
Standard Tokens

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cognito: Identity Management Scenarios
Business to Consumer Business to Business
Business to Employee IoT Scenarios
Enterprise
DirectoryEnterprise
Directory
SAML
Enterprise
Directory
SAML
AWS IoT

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Managed User Directory (User Pool)
Ø Usernames / Passwords
Ø Profiles (attributes / groups)
Ø User Flows: Sign up,
Confirm, Sign in, Forgot
password, etc.
Ø Admin controls: Create user,
import, search, disable, set
policies, etc.
Ø Security: MFA, Adaptive
authentication, Protection for
compromised credentials
Ø Compliance: PCI, HIPAA,
SOC 1/2/3, ISO 270001,
GDPR

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
UI Integration Choices
Hosted UI Developer’s UI
• Customizable (CSS / Logo)
• Easily integrated
• Integrated via SDKs / APIs
• Native UI

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Identity Federation with User Pools
Web and Mobile
Apps
Amazon
Cognito
Cognito
Tokens
Identity
Providers
User Profiles

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Built-in Authorization with Amazon Cognito

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Built-in Authorization in AWS
Amazon API Gateway AWS Application Load
Balancer
AWS Credentials
(Any AWS service)
Cognito
Tokens
Cognito
Tokens
Cognito
Tokens
Amazon
Cognito
API GW
Amazon Cognito
Amazon
Cognito
DynamoDB,
S3, etc.
ALB

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
Amazon API
Gateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
API Gateway and Cognito Tokens

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
1. Authenticate
Amazon API
Gateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
API Gateway and Cognito Tokens

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
2. JWT tokens
Amazon API
Gateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
API Gateway and Cognito Tokens

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
3. Call API Gateway resource
Amazon
DynamoDB
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
API Gateway and Cognito Tokens

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
4. Validate Access or
Identity token
Mobile app
Amazon
DynamoDB
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
API Gateway and Cognito Tokens
Token Validation Options
1. Cognito Authorizers provide built-in
validation of tokens
2. Lambda Authorizers allow you to use custom
code to make fine-grained decisions based
on user attributes or groups (“claims”)

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
5. Invoke API Call
Amazon
DynamoDB
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
API Gateway and Cognito Tokens

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
6. Access
AWS Resources
Amazon
DynamoDB
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
API Gateway and Cognito Tokens

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Application Load Balancer Integration
Request secure path
3
Redirect for
authentication
Return content and
ALB Auth cookie
1
24
Return secure content
CUP
Token

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Credentials with Cognito (Identity Pools)
• Exchanges tokens from authenticated
users for AWS credentials to access
resources such as S3 or DynamoDB
• You can defined rules for mapping users
to different IAM roles to manage
permissions
• Provides an identity pool id to uniquely
identify users
Cognito
Identity Pool
AWS Credentials
/ / etc
token
Mobile or web app
DynamoDB
S3
API GW
Access backend
resources
- tied to IAM role
1
3
2

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cognito User Pools + Identity Pools
Get AWS
credentials
Cognito
Identity PoolDynamoDB S3
Access AWS Services
Federating
IdP
Cognito User
Pool• User Pools authenticate
users and returns standard
tokens
• User Pool tokens are used to
access backend resources
• Identity Pools provide AWS
credentials to access AWS
services
Authenticate
3
CUP
Token1
IdP
Token
2
Redirect /
Post back
CUP
Token
5
6
Access Serverless BackendCUP
Token
API GW
4
Lambda

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Advanced Authorization with Amazon Cloud Directory

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What customers are asking for Advanced Authorization …
• Ability to define hierarchical permissions with inheritance
– For Identities and Resources
• More capabilities … Authorization for service access, device access
• More real time control to define access
• Ability to audit and govern

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Typical Authorization components
• Principal (user, service identity, device identity) – answers “Who”
• Resource such as AWS S3 bucket or custom application “Foobar” – answers
“What”
• Action, typically Create, Read, Update or Delete (CRUD) actions – answers
level of access

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How customers think of Authorization
Organization
1
1.21.1
1.1.1
Resources
Amazon
S3
Company

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cloud Directory

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Relational vs. NoSQL vs. graph to store hierarchical data
Graph
• Network based
• Connections
• Think: LinkedIn
Relational
• Rows and
columns
• Relationships
• Think: Online
banking
NoSQL
• Key Value Store
• Quick lookups
• Think: Web
Applications

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Challenges you may face
Traditional solutions
have inefficient
queries for multiple
hierarchies
Inefficient
workarounds to
search for parent and
child objects
Inflexible schemas
that can’t be easily
shared across
applications
Complex
infrastructure that is
expensive to scale

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cloud Directory
Fully AWS-managed, serverless, cloud-scale hierarchical
datastore
Organize
hierarchies of
data across
multiple
dimensions
Scale
automatically on
managed
infrastructure
Adapt to
changing data
requirements
Search your
directory for
objects and
relationships

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Customer use cases
• Large electronics chain is implementing IoT Device Registry
• Startup is implementing complex permissions across patients, organizations,
and applications
• Enterprise implementing Network Topography
Amazon Cognito Your User Pools has built user management on Cloud Directory
AWS Organizations has built Account Management and access control on Cloud
Directory

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Customer Reference - Aino Health
“Aino Health is the leading solution provider in Corporate Health Management, offering
a platform for predictive health analytics that helps organizations to improve their
productivity, reduce absences and prevent early retirements. As business evolved, Aino
Health needed to transition from the traditional monolithic IT application model and find
a better solution to manage their hierarchical data. Aino Health’s key requirement was
to model their complex organizational structure including company organization,
relations to various third-party agents and fine-grained permissions to secure access to
health data. Aino Health uses Amazon Cloud Directory to organize and query their
hierarchical data along multiple dimensions. With Cloud Directory, Aino Health has
experienced faster time-to-market for delivering solutions, scalability, optimized query
for hierarchical data and lower cost of operations.”
- Johannes Verwijnen, CTO, Aino Health

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
When should you consider Amazon Cloud Directory?
• Is my data hierarchical? Does it resemble a tree when drawn?
• Does my application heavily favor reads over writes?
• Does my data have a known structure, even if it might change over time?
• Do I need a serverless datastore?
• Do I need automated horizontally scaling?
• If yes: Cloud Directory is likely a good fit.
• In no: RDS, Neptune, DynamoDB might be better options for your use case.

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Technical Deep Dive

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cloud Directory features
• Ability to express rich relationships
• Parent-Child Relationships
• Multiple parents for Leaf Nodes
• Relationships across hierarchies or entities using Typed Links
• Policy support, policy inheritance
• Two types of indexing/search
• Search by Object Values
• Search by Object Type
Encryption in-transit and at-rest, Integration with CloudTrail, support for tags, in nine
regions today.
Compliance: PCI, SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and ISO 9001, HIPAA

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Example – Parent-Child Relationship
Dir.
Root
John
Jane Zoe
JimGregTim
Global
SFOLHR
Reporting
R&D
Data
Scientist
Software
Engineer
Operations
Sys
Admin
Locations
Europe U.S.

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Example – Typed Links
Dir.
Root
John
Jane
JimGregTim
Computers
Desktop
Reporting
R&D
Data
Scientist
Software
Engineer
Operations
Sys
Admin
Devices
Laptop
Zoe
Typed Links

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Example – Policy
Dir.
Root
John
Jane Zoe
JimGregTim
Global
SFOLHR
Reporting
R&D
Data
Scientist
Software
Engineer
Operations
Sys
Admin
Locations
Europe US
B
A
C
Policy
Evaluate Policies with a single API
call - LookupPolicy

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How customers think of Authorization - revisit
Organizations
1
1.21.1
1.1.1
Resources
Company
Admin (CRUD access)
User (Read access)

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Example – Define Fine Grained Permissions (using Parent-Child)
Dir.
Root
John
Jane Zoe
JimGregTim
Resource
Parent
Resource
Child 1
Reporting
R&D
Data
Scientist
Software
Engineer
Operations
Sys
Admin
Resource Tree
Path 1 Path 2
B
A
C
Policy
Resource
Child 2

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Example – Define Fine Grained Permissions (using Typed Links)
Dir.
Root
John
Jane Zoe
JimGregTim
Resource
Parent
Resource
Child 1
Reporting
R&D
Data
Scientist
Software
Engineer
Operations
Sys
Admin
Resource Tree
Path 1 Path 2
B
A
C
Policy
Resource
Child 2

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How do I get started?
Create
Schema
Publish
Schema
Create
Directory
Read/Write
Data
Create
Schema
Publish
Schema
Create
Directory
Read/Write
Data
Using Managed Schema – ability to develop faster but retain hierarchical data
Using Own Schema – ability to define constraints for data

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Using Amazon Cognito and Amazon Cloud Directory …
Customer
Application Advanced Authorization
Amazon Cloud Directory
Amazon Cognito
User Pools
Authentication
Resource

42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Call to action
• Try out Amazon Cloud Directory sample code on GitHub
https://github.com/aws-samples/amazon-cloud-directory-sample
• Read about Amazon Cloud Directory such as Blog Posts, Webinar, Sample Code,
Pricing, Limits, etc.
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/resources.html
• Try out Amazon Cognito sample code on GitHub
https://github.com/awslabs/aws-serverless-auth-reference-app
• Read about Amazon Cognito such as Blog Posts, Webinar, Sample Code, Pricing,
Limits, etc.
https://aws.amazon.com/cognito/dev-resources/

43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS