Key Management Service (KMS)
The course is part of this learning path
This course provides detail on the AWS Security, Identity, and compliance services relevant to the AWS Developer - Associate exam. These services are used to help secure and protect your resources and environment through access control mechanisms and encryption.
- Learn what Identity Federation is
- Learn about the AWS services that can be used with it
- Understand how it's implemented
- Understand the benefits of AWS SSO and how it can be used to simplify user access at scale
- Create your own authentication mechanisms using Amazon Cognito
- Create your own customized UI for user sign in
- Create a secure user directory for all your applications and users
- Understand what is meant identity and access management and the difference between authentication, authorization, and access control
- Learn the components of IAM as well as its reporting features
- Understand the core principles of cross-account access using IAM
- How to implement and configure cross-account access
- Define how the Key encryption process works
- Explain the differences between the different key types
- Create and modify Key policies
- Understand how to rotate, delete and reinstate keys
- Define how to import your own Key material
The primary concern of Cognito User Pools is to create and maintain a directory of your users for your mobile or web applications. This means dealing with both signing up, and signing in, your new and returning users.
When signing up new users, Cognito lets you customize what is important for you and your application. And there is a lot of information you can have your perspective users submit when they are signing up.
If you want all of your new user to submit their emails, addresses, pictures, what have you - you can set that all up while creating your user pool.
You also can create custom attributes if you need something specific from your users. A custom attribute can be a string or a number and allows you to set minimum and maximum values you will accept.
This information is all stored within the Cognito User pool and can be accessed by your application when you need it.
You can also specify how stringent you want to be with your passwords that users can create.
Cognito gives you all the normal password functionality like min length, requiring numbers, special characters, upper and lowercase. Yadda yadda.
Amazon Cognito also has the functionality to require multi-factor authentication(MFA), which I would recommend for any financial services, or high-value information like medical, credit card, or anything really with in-app purchases that a user might have invested a significant amount of money towards.
The service even includes account recovery features that can be quite annoying to set up on your own, and would normally require another backend service to handle for you: Including email and phone.
Additionally, if you don't want your users to have to go through all that hassle, Cognito User Pools gives you the ability to have social sign-in. This means your users can also sign in for your application by using third-party ID providers.
This path does require you (the application developer) to first set up a developer account with those external third-party providers and set up your application with them. It's not a particularly difficult task, but it can be time-consuming.
Take a look over here for a step by step walkthrough of the process: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
Finally, You can also sign in with any SAML (Security Assertion Markup Language) identity provider. In case you are unaware of SAML, It is a XML-based markup language for security assertions. It is an important tool for single sign-on through the web. For example, your SAML ID provider might be an active directory federation service. This provider could be your on-premises AD or one you are even hosting on an EC2 server.
Please be aware that if you do use this route you will need a domain name that you own.
The service also provides a way to create your own customizable web UI to handle the Sign in and sign up services. Using this customizable UI provides you with an OAuth 2.0 compliant authorization server. OAuth is an open-standard authorization protocol that helps regulate how servers or services can safely allow authenticated access to each other, without sharing SSO credentials.
The user experience of the provided web UI is customizable and allows you to add your own brand logos and to change the look and feel of the webpage.
You don't have to use this of course and can create your own UI. You would just in charge of calling the appropriate API calls for the service yourself, and running your own OAuth server - which can be difficult for some people, and might be out of scope for what you are trying to achieve.
User pools also have integrations with AWS lambda and gives you the option to trigger functions based on user flow.
For example, if you wanted a lambda function to trigger right after a user has successfully signed up - maybe to send an email, or to create some backend functionality for that user, you have that ability. Or whenever someone successfully signs in, you could have lambda check some backend information about that user, and prepare their environment based on that.
As a final note: you can also add an entire listing of users and accounts via CSV file if you already have that information available.
I think the big thing to notice about this service in general, is that it is just trying to remove all of the extra obstacles out of the way and let you just get into developing your application.
There are plenty of steps required to make even simple sign and authentication work with modern applications, so to have all of these extraneous things dealt with for you is super powerful.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.