How IAM is used to securely manage access
Managing user identities with long term credentials in IAM
Managing access using IAM user groups & roles
Using IAM policies to define and manage permissions
Fundamentals of KMS
Securing Access to Your AWS KMS Keys
AWS Web Application Firewall
AWS Firewall Manager
Using AWS Network Firewalls to Secure Your VPCs
AWS Security Hub Overview
Other AWS Security Services
AWS Secrets Manager
The course is part of this learning path
This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.
Want more? Try a Lab Playground or do a Lab Challenge!
- Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
- Understand how to configure and monitor AWS WAF
- Learn about AWS Firewall Manager and its components
- Learn how to configure AWS Shield
- Learn the fundamentals of AWS Cognito
The primary concern of Cognito User Pools is to create and maintain a directory of your users for your mobile or web applications. This means dealing with both signing up, and signing in, your new and returning users.
When signing up new users, Cognito lets you customize what is important for you and your application. And there is a lot of information you can have your perspective users submit when they are signing up.
If you want all of your new user to submit their emails, addresses, pictures, what have you - you can set that all up while creating your user pool.
You also can create custom attributes if you need something specific from your users. A custom attribute can be a string or a number and allows you to set minimum and maximum values you will accept.
This information is all stored within the Cognito User pool and can be accessed by your application when you need it.
You can also specify how stringent you want to be with your passwords that users can create.
Cognito gives you all the normal password functionality like min length, requiring numbers, special characters, upper and lowercase. Yadda yadda.
Amazon Cognito also has the functionality to require multi-factor authentication(MFA), which I would recommend for any financial services, or high-value information like medical, credit card, or anything really with in-app purchases that a user might have invested a significant amount of money towards.
The service even includes account recovery features that can be quite annoying to set up on your own, and would normally require another backend service to handle for you: Including email and phone.
Additionally, if you don't want your users to have to go through all that hassle, Cognito User Pools gives you the ability to have social sign-in. This means your users can also sign in for your application by using third-party ID providers.
This path does require you (the application developer) to first set up a developer account with those external third-party providers and set up your application with them. It's not a particularly difficult task, but it can be time-consuming.
Take a look over here for a step by step walkthrough of the process: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
Finally, You can also sign in with any SAML (Security Assertion Markup Language) identity provider. In case you are unaware of SAML, It is a XML-based markup language for security assertions. It is an important tool for single sign-on through the web. For example, your SAML ID provider might be an active directory federation service. This provider could be your on-premises AD or one you are even hosting on an EC2 server.
Please be aware that if you do use this route you will need a domain name that you own.
The service also provides a way to create your own customizable web UI to handle the Sign in and sign up services. Using this customizable UI provides you with an OAuth 2.0 compliant authorization server. OAuth is an open-standard authorization protocol that helps regulate how servers or services can safely allow authenticated access to each other, without sharing SSO credentials.
The user experience of the provided web UI is customizable and allows you to add your own brand logos and to change the look and feel of the webpage.
You don't have to use this of course and can create your own UI. You would just in charge of calling the appropriate API calls for the service yourself, and running your own OAuth server - which can be difficult for some people, and might be out of scope for what you are trying to achieve.
User pools also have integrations with AWS lambda and gives you the option to trigger functions based on user flow.
For example, if you wanted a lambda function to trigger right after a user has successfully signed up - maybe to send an email, or to create some backend functionality for that user, you have that ability. Or whenever someone successfully signs in, you could have lambda check some backend information about that user, and prepare their environment based on that.
As a final note: you can also add an entire listing of users and accounts via CSV file if you already have that information available.
I think the big thing to notice about this service in general, is that it is just trying to remove all of the extra obstacles out of the way and let you just get into developing your application.
There are plenty of steps required to make even simple sign and authentication work with modern applications, so to have all of these extraneous things dealt with for you is super powerful.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.