Evaluate authorization - Amazon Web Services (AWS) Tutorial

It's important to be able to evaluate the current authentication infrastructure at an organization in order to improve it using the AWS cloud. And in particular, the cognitive system is a good starting point. It provides both authentication and authorization for web and mobile apps, and users can sign in with a username and password through third parties such as Facebook, Amazon, Google, or Apple. And there's a couple of main components, including user pools and identity pools. Let's go ahead and take a look at a scenario with Cognito. There are scenarios where the identity pool would grant users access to services or a user pool would allow sign up and sign in for application. So let's go ahead and take a few scenarios here and look at them. The first is Auth with a user pool. Cognito is able to get tokens, and those come from the user pool, and then a user is able to then proceed to social sign in. Also, with an identity pool, you're able to authenticate and get tokens from the user pool, but then that allows you to access your own resources. And these resources could be, let's say, DynamoDB or S3. Another scenario here that's pretty interesting is with Lambda and API Gateway. And what's fascinating about this scenario is you can enable users to access an API through API Gateway. And the API Gateway could validate the tokens from user pool authentication and grant the users access to resources, including, let's say, other lambda functions that perform event driven workflows. So this is really a nice scenario here for developers that want to build a SaaS application. The next scenario here to look at would be the user plus identity pool. And this allows a successful authentication to receive tokens from Cognito, and then these can be exchanged temporarily for access to other services with an identity pool. So you can really use all of these features at the same time to provide authentication to users. The other thing to be aware of is there's a third party plus identity pool, very common scenario with Cognito, and so you're able to allow your users access to AWS services through an identity pool. And this requires an IDP token from a user, and in exchange, the pool will grant temporary AWS credentials that you can use to access other AWS services. The AppSync is another scenario that is enabled with Cognito, and you can grant users access to AWS AppSync resources with tokens from a successful Cognito authentication. And this allows you to, let's say, send GraphQL response in requests. And then what's nice about this is these other services like Elastic Search Service or DynamoDB or Lambda, all can be synchronized in a very efficient way by using the AWS AppSync. So let's go ahead and take a look at Cognito in action here. I'm going to go over to the AWS console, and let's take a look at the initial console here and see for your business case. If you want to add users, this is one of the options. Or if you want to grant access to AWS services, you have to decide. Let's go ahead and pick this option, add user directories to your app. We'll go and create user pool. And notice here that now we can configure a sign in experience. And in particular, we can say, Well, what are the things that we want to select? Maybe we want to only select email address. And then we go through here and we set defaults, right? So this is always something that an organization has to be careful about in order to comply with requirements for data governance. And in this scenario, the defaults are fairly good, but you could also go through here and set up some custom defaults with, let's say, a longer minimum path password length or, you know, a shorter expiration and cetera, et cetera. . Now, you also can go through here and set up multi-factor authentication as well and make that a requirement for users that are authenticating. And you can choose which of these methods are available, including SMS and authentication. So you can see this is a very strong and robust authentication service that's available, and just a few clicks to to create it. Now you can enable self registration. And then from here you can go through here and say what are the required attributes? In this case it would be, let's say, a phone number or an email. And then once you go to next, you can decide where are the from email addresses coming from? You know, do you want to create a new IAM role for the user or use an existing one? In this case, let's go ahead and say Cognito rule, and we'll go through here and say next. And then once you're able to go through here, look, it says additional setup is needed. You need to complete some additional steps. So, you know, in a nutshell here, we can just say from info here we can select this. You can select a from in-fill. So what's happening here is that we need to make sure that SES is actually configured, and you have to have a verified sender. And so in this scenario here, we would have to go through and set up a identity in SES. So in a nutshell, the Cognito service is a is a very robust service that provides all of the things that you would normally expect and the enterprise style authentication and authorization service.