AWS Control Tower
AWS Service Catalog
The course is part of this learning path
This course covers the core learning objective to meet the requirements of the 'Designing Network & Data Transfer solutions in AWS - Level 1' skill
- Understand the AWS shared responsibility model
- Understand AWS access management capabilities to enforce security at different levels (IAM, AWS Organizations, Control Tower, Service Catalog, Amazon Cognito)
- Understand where to find AWS compliance information (AWS Artifact)
The primary concern of Cognito User Pools is to create and maintain a directory of your users for your mobile or web applications. This means dealing with both signing up, and signing in, your new and returning users.
When signing up new users, Cognito lets you customize what is important for you and your application. And there is a lot of information you can have your perspective users submit when they are signing up.
If you want all of your new user to submit their emails, addresses, pictures, what have you - you can set that all up while creating your user pool.
You also can create custom attributes if you need something specific from your users. A custom attribute can be a string or a number and allows you to set minimum and maximum values you will accept.
This information is all stored within the Cognito User pool and can be accessed by your application when you need it.
You can also specify how stringent you want to be with your passwords that users can create.
Cognito gives you all the normal password functionality like min length, requiring numbers, special characters, upper and lowercase. Yadda yadda.
Amazon Cognito also has the functionality to require multi-factor authentication(MFA), which I would recommend for any financial services, or high-value information like medical, credit card, or anything really with in-app purchases that a user might have invested a significant amount of money towards.
The service even includes account recovery features that can be quite annoying to set up on your own, and would normally require another backend service to handle for you: Including email and phone.
Additionally, if you don't want your users to have to go through all that hassle, Cognito User Pools gives you the ability to have social sign-in. This means your users can also sign in for your application by using third-party ID providers.
This path does require you (the application developer) to first set up a developer account with those external third-party providers and set up your application with them. It's not a particularly difficult task, but it can be time-consuming.
Take a look over here for a step by step walkthrough of the process: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
Finally, You can also sign in with any SAML (Security Assertion Markup Language) identity provider. In case you are unaware of SAML, It is a XML-based markup language for security assertions. It is an important tool for single sign-on through the web. For example, your SAML ID provider might be an active directory federation service. This provider could be your on-premises AD or one you are even hosting on an EC2 server.
Please be aware that if you do use this route you will need a domain name that you own.
The service also provides a way to create your own customizable web UI to handle the Sign in and sign up services. Using this customizable UI provides you with an OAuth 2.0 compliant authorization server. OAuth is an open-standard authorization protocol that helps regulate how servers or services can safely allow authenticated access to each other, without sharing SSO credentials.
The user experience of the provided web UI is customizable and allows you to add your own brand logos and to change the look and feel of the webpage.
You don't have to use this of course and can create your own UI. You would just in charge of calling the appropriate API calls for the service yourself, and running your own OAuth server - which can be difficult for some people, and might be out of scope for what you are trying to achieve.
User pools also have integrations with AWS lambda and gives you the option to trigger functions based on user flow.
For example, if you wanted a lambda function to trigger right after a user has successfully signed up - maybe to send an email, or to create some backend functionality for that user, you have that ability. Or whenever someone successfully signs in, you could have lambda check some backend information about that user, and prepare their environment based on that.
As a final note: you can also add an entire listing of users and accounts via CSV file if you already have that information available.
I think the big thing to notice about this service in general, is that it is just trying to remove all of the extra obstacles out of the way and let you just get into developing your application.
There are plenty of steps required to make even simple sign and authentication work with modern applications, so to have all of these extraneous things dealt with for you is super powerful.
William Meadows is a passionately curious human currently living in the Bay Area in California. His career has included working with lasers, teaching teenagers how to code, and creating classes about cloud technology that are taught all over the world. His dedication to completing goals and helping others is what brings meaning to his life. In his free time, he enjoys reading Reddit, playing video games, and writing books.