How IAM is used to securely manage access
Managing user identities with long term credentials in IAM
Managing access using IAM user groups & roles
Using IAM policies to define and manage permissions
AWS Web Application Firewall
AWS Firewall Manager
AWS Security Hub Overview
Other AWS Security Services
The course is part of this learning path
This course looks at the key Security services within AWS relevant to the Solution Architect associate exam. Core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.
Want more? Try a lab playground or do a Lab Challenge!
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Understand how to configure and monitor AWS WAF
- Learn about AWS Firewall Manager and its components
- Learn how to configure AWS Shield
- Learn the fundamentals of AWS Cognito
The primary concern of Cognito User Pools is to create and maintain a directory of your users for your mobile or web applications. This means dealing with both signing up, and signing in, your new and returning users.
When signing up new users, Cognito lets you customize what is important for you and your application. And there is a lot of information you can have your perspective users submit when they are signing up.
If you want all of your new user to submit their emails, addresses, pictures, what have you - you can set that all up while creating your user pool.
You also can create custom attributes if you need something specific from your users. A custom attribute can be a string or a number and allows you to set minimum and maximum values you will accept.
This information is all stored within the Cognito User pool and can be accessed by your application when you need it.
You can also specify how stringent you want to be with your passwords that users can create.
Cognito gives you all the normal password functionality like min length, requiring numbers, special characters, upper and lowercase. Yadda yadda.
Amazon Cognito also has the functionality to require multi-factor authentication(MFA), which I would recommend for any financial services, or high-value information like medical, credit card, or anything really with in-app purchases that a user might have invested a significant amount of money towards.
The service even includes account recovery features that can be quite annoying to set up on your own, and would normally require another backend service to handle for you: Including email and phone.
Additionally, if you don't want your users to have to go through all that hassle, Cognito User Pools gives you the ability to have social sign-in. This means your users can also sign in for your application by using third-party ID providers.
This path does require you (the application developer) to first set up a developer account with those external third-party providers and set up your application with them. It's not a particularly difficult task, but it can be time-consuming.
Take a look over here for a step by step walkthrough of the process: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
Finally, You can also sign in with any SAML (Security Assertion Markup Language) identity provider. In case you are unaware of SAML, It is a XML-based markup language for security assertions. It is an important tool for single sign-on through the web. For example, your SAML ID provider might be an active directory federation service. This provider could be your on-premises AD or one you are even hosting on an EC2 server.
Please be aware that if you do use this route you will need a domain name that you own.
The service also provides a way to create your own customizable web UI to handle the Sign in and sign up services. Using this customizable UI provides you with an OAuth 2.0 compliant authorization server. OAuth is an open-standard authorization protocol that helps regulate how servers or services can safely allow authenticated access to each other, without sharing SSO credentials.
The user experience of the provided web UI is customizable and allows you to add your own brand logos and to change the look and feel of the webpage.
You don't have to use this of course and can create your own UI. You would just in charge of calling the appropriate API calls for the service yourself, and running your own OAuth server - which can be difficult for some people, and might be out of scope for what you are trying to achieve.
User pools also have integrations with AWS lambda and gives you the option to trigger functions based on user flow.
For example, if you wanted a lambda function to trigger right after a user has successfully signed up - maybe to send an email, or to create some backend functionality for that user, you have that ability. Or whenever someone successfully signs in, you could have lambda check some backend information about that user, and prepare their environment based on that.
As a final note: you can also add an entire listing of users and accounts via CSV file if you already have that information available.
I think the big thing to notice about this service in general, is that it is just trying to remove all of the extra obstacles out of the way and let you just get into developing your application.
There are plenty of steps required to make even simple sign and authentication work with modern applications, so to have all of these extraneous things dealt with for you is super powerful.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.