AWS Security Services: Identity & Access Management
AWS IAM with AWS SSO and Amazon Cognito
AWS security services are the tools AWS provides to help organizations deploy comprehensive security for their infrastructure. These services fall into 5 main categories:
Identity & Access Management (IAM) is the subject of this article. Over time, managing users and their access has only become more complicated (and more critical to security).
AWS Security Services: The Before Times
Initially, there used to be a single AWS Account for each organization, and everything was simple. Each user would have a single set of:
- User name
- Secret Keys
AWS Security Services: Modern Architecture
In modern architecture, there are multiple AWS accounts. Every account has multiple sets of access / secret keys and usernames / passwords. This is difficult to work with.
To deal with such a scenario, the architecture of AWS IAM plays an important role. With IAM, users can have a single set of credentials and keys.
There are three major steps that we need to perform as part of Cross-Account IAM Roles:
- Create a user in Account A
- Create a Cross-Account role in Account B
- Allow User to switch to Account-B Role
Best Practice Pro Tip
It is recommended to always make use of IAM Role instead of hard coding the AWS Access Keys within EC2 instance / software code.
AWS IAM deserves its own article, which you can find here. Following, we’re introducing AWS security services AWS SSO and Amazon Cognito.
AWS Security Services: Single Sign-On
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.
Conveniently, AWS SSO integrates with AWS Command Line Interface (CLI). SSO users can authenticate via CLI, and they will be able to perform the CLI operations without having to add keys in their ~/.aws/credentials file.
AWS Security Services: Amazon Cognito
Amazon Cognito provides authentication, authorization, and user management service for your web and mobile apps.
Let’s understand this with a use-case:
Sophia is a mobile developer in a start-up organization. They have begun with a mobile wallet system, and there are specific requirements as follows:
- Users should be able to sign-in with social network platforms like Facebook, Twitter and Google.
- There should be a post-sign-up process (one-time password) for verification.
- Account recovery feature should be present.
- Guest access must be allowed for users to see the app.
At a high level, there are two major features under AWS Cognito
- User Pools: takes care of the entire authentication, authorization process
- Identity Pools: provides the functionality of federation for users in user pools
What’s a federated user? Federated User Definition:
“AWS supports federated user access to AWS service APIs and resources. Federated users are managed in an external directory and are granted temporary access to AWS services.”