Chapter 10
Authentication and Authorization

THE AWS CERTIFIED DEVELOPER – ASSOCIATE EXAM TOPICS COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:

  • Domain 2: Security
  • check mark 2.1 Make authenticated calls to AWS services.
  • check mark 2.3 Implement application authentication and authorization.

Introduction to Authentication and Authorization

Authentication is the process or action that verifies the identity of a user or process. Authorization is a security mechanism that determines access levels or permissions related to system resources including files, services, computer programs, data, and application features. The authentication and authorization process grants or denies user access to network resources based on the identity.

AWS Identity and Access Management (IAM) allows you to create identities (users, groups, or roles) and control access to various AWS services through the use of policies. IAM serves as an identity provider (IdP).

The following are the benefits of integrating an existing IdP:

  • Users are no longer required to manage multiple sets of credentials.
  • There are fewer credentials to administer.
  • Credentials are centrally managed.
  • It is easier to establish and enforce compliance standards.

As an IdP, AWS is responsible for storing identities and providing the mechanism for authentication. You can use AWS as an IdP for the following:

  • AWS services
  • Applications running on AWS infrastructure
  • Applications running on non-AWS infrastructure, such as web or mobile applications

There are multiple benefits for using AWS as the IdP. AWS provides a managed service, eliminates single points of failure, is highly available, and can scale as needed. AWS also provides a number of tools, such as Amazon CloudWatch and AWS CloudTrail, to manage, control, and audit this service.

Using a third party to provide identity services is known as federation.

In this chapter, you learn the various ways to integrate existing identity providers into AWS and how to use AWS as an identity provider to control access to applications, both inside and outside the AWS infrastructure.

Different Planes of Control

There are two different planes of access used to manage and access AWS services: a control plane and a data plane.

The control plane permits access to perform operations on a particular AWS instance. AWS can control access to this plane through various AWS application programming interface (AWS API) operations. The data plane permits access to the application running on AWS. The data plane permits access to sign in to the compute instance using Secure Shell (SSH) or Remote Desktop Protocol (RDP) and to make changes to the guest operating system or to the application itself.

The control and data planes use different paths, different protocols, and different credentials; however, for several AWS services, the control and data planes are identical. Amazon DynamoDB allows you to stop and start the compute instances (control plane) and stop and start the database (data plane) using an AWS API.

Identity and Authorization

A discussion of federation requires a review of the concept’s identity and authorization. Each of these concepts asks and answers two different questions. Identity asks and answers “Who are you?”; and authorization asks and answers “What can you do?”

AWS establishes identity in several different ways, as shown in Table 10.1.

Table 10.1 AWS Identity

Name Identifier Credential
Root user Email Password
User Email Password
User, group, or role Access key ID Secret access key
API Access Secret access key

AWS establishes authorization by user-executed APIs. AWS controls operations and tasks through APIs. Policies are JavaScript Object Notation (JSON) documents that show attribute-value pairs. Every policy document requires a minimum of three attribute-value pairs: effect, action, and resource.

Effect has the API value of either ALLOW or DENY. The entity (whether a user, group, or role) is either granted the permission to execute that API or denied the permission to execute that API.

Action determines whether the API is allowed or denied. Actions can be determined by an individual API, a grouping of APIs for the same service using a wildcard (for example, S3:* includes all Amazon Simple Storage Service (Amazon S3 APIs), or APIs for different services.

Resource determines where the API is being allowed or denied. For example, with Amazon S3, you can allow the execution of an API in a particular bucket, object, or particular group of objects (using the wildcard *).

Symbol of Tip Though the order of the three attribute-value pairs has no impact on their execution, use the acronym EAR to remember the three attribute-value pairs: effect, action, and resource (EAR).

Federation Defined

A federation consists of two components: identity provider and identity consumer.

Each component plays a different role in the process of federation. An identity provider stores identities, provides a mechanism for authentication, and provides a course level of authorization. An identity consumer stores a reference to the identity, providing authorization at a greater granularity than the identity provider.

An identity provider and an identity consumer work together to create a federation. The identity provider and the identity consumer establish a trust relationship between each other. They agree on the type of information to exchange, what information to exchange, in what format, and what security methods and measures they will use.

An identity provider answers the question “Who are you?” Because a prior trust relationship has been established between the identity provider and the identity consumer, the identity consumer trusts the answer supplied by the identity provider and grants access.

There is no expectation that there will be either a synchronization or replication of data between an identity provider and an identity consumer or that an identity provider and an identity consumer are operated by the same organization or entity.

Federation with AWS

Federation with AWS allows for two things. First, it allows you to use AWS as an IdP to gain access to both AWS and non-AWS resources. Amazon Cognito is an AWS service that acts as an IdP. Second, you can use non-AWS resources like Security Assertion Markup Language (SAML) 2.0, OpenID Connect (OIDC), or Microsoft Active Directory as the IdP to facilitate single sign-on (SSO).

Federation enables you to manage access to your AWS resources centrally. With federation, you can use SSO to access your AWS accounts with credentials from your corporate directory. Federation uses open standards, such as SAML or OIDC, to exchange identity and security information between an IdP and an application.

The five mechanisms that the AWS federation can facilitate are as follows:

  • Custom-built IdP
  • Cross-account access
  • SAML
  • OIDC
  • Microsoft Active Directory

Custom Build an Identity Provider

Custom builds were the original method of federation within AWS, but they have since been supplanted by SAML, OIDC, and Microsoft Active Directory. With SAML, you can build a custom IdP that verifies users and their identities. Though building a custom IdP offers a high degree of customization, it is a complex process, and most customers now use standard solutions.

Cross-Account Access

When you need to access resources across multiple AWS accounts, cross-account access enables you to do so by using only one set of credentials. You can grant users access to resources in company accounts without having to maintain multiple user entities, and your users do not have to remember multiple passwords. Users can access the resources they need in AWS accounts by switching AWS roles. Access is permitted by the policies attached to each role. There are two accounts in cross-account access: the account in which the user resides, or source account, and the account with the resources to which the user wants access, or target account.

The target account has an IAM role that includes two components: a permissions policy and a trust policy. The permissions policy controls access to AWS services and resources, while the trust policy specifies who can assume the role and their external ID.

The source account is given an IAM role (AssumeRole) with a permissions policy that allows you to assume this role. The target account issues short-term credentials to the AssumeRole, which allows access to AWS services and the resources you specify in this credential.

Use cross-account access when you own either the target account or the source account and require no more than coordination between the owners of the source account and the target account. Cross-account access allows users to access the AWS Management Console, AWS APIs (control plane APIs and data plane APIs), and the AWS CLI.

Security Assertion Markup Language

Security Assertion Markup Language (SAML) provides federation between an IdP and a service provider (SP) when you are in an AWS account and a trust relationship has been established between the IdP and the SP. The IdP and the SP exchange metadata in an .xml file that contains both the certificates and attributes that form the basis of the trust relationship between the IdP and the SP.

You interact only with the IdP, and all authentication and authorization occurs between you and the IdP. Based on a successful authentication and authorization, the IdP makes an assertion to the service provider. Based on the previously established trust relationship, the service provider accepts this assertion and provides access.

Use SAML to provide access to the AWS Management Console, AWS APIs (control plane APIs and data plane APIs), and the AWS CLI. SAML can also access Amazon Cognito to control access to cloud services that exist outside AWS, such as software as a solution (SaaS) applications.

OpenID Connect

OpenID Connect (OIDC) is the successor to SAML. OIDC is easier to configure than SAML and uses tokens rather than assertions to provide access. Most use cases for OIDC involve external versus internal users.

With OIDC, OpenID provider (OP) uses a relying party (RP) trust to track the service provider. OP and RP exchange metadata by focusing on the OP providing information to the RP about the location of its endpoints. The RP must register with the OP and then receive a client ID and a client secret. This exchange establishes a trust relationship between the OP and the RP.

Because you interact solitarily with the OP, all authentication and authorization occur only between you and the OP. The OP issues a token to the service provider, which accepts this token and provides access. OIDC includes three different types of tokens.

  • ID token establishes a user’s identity.
  • Access token provides access to APIs.
  • Refresh token allows you to acquire a new access token when the previous one expires.

Companies such as Google, Twitter, Facebook, and Amazon can also establish their own OpenID provider.

After authentication and authorization occur, you can access numerous services, including the AWS Management Console, AWS APIs, and AWS CLIs. You can use OIDC to grant access to AWS services, including Amazon Cognito, Amazon AppStream 2.0, and Amazon Redshift. You can also use OIDC to grant access to SaaS applications outside of AWS.

Microsoft Active Directory

Microsoft Active Directory is the identity provider for a majority of corporations. You use the Active Directory forest trusts to establish trust between an Active Directory domain controller and AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). For Microsoft Active Directory, the domain controller is on-premises or in the AWS Cloud.

In the Microsoft Active Directory setup, the Active Directory domain controller defines the user. However, you add users to the groups that you define in the AWS Managed Microsoft AD. Access to services depends on membership within these groups.

Use Microsoft Active Directory to provide data plane access to Amazon Elastic Compute Cloud (Amazon EC2) instances running Windows, Amazon Relational Database Service (Amazon RDS) instances running SQL Server, Amazon WorkSpaces, Amazon WorkDocs, Amazon WorkMail, and, with limitations, the AWS Management Console.

AWS Single Sign-On

AWS Single Sign-On (AWS SSO) is an AWS service that manages SSO access. AWS SSO allows users to sign in to a user portal with their existing corporate credentials and access both AWS accounts and business accounts. You can have multiple permission sets, allowing for greater granularity and control over access.

Setting Up AWS Single Sign-On

To set up AWS SSO, do the following:

  1. Enable AWS SSO.
  2. Connect your directory.
  3. Configure SSO to your AWS accounts.
  4. Configure SSO to your cloud applications (if applicable).
Prerequisites for AWS SSO

There are several prerequisites for using AWS SSO:

  • Configure and enable all AWS Organizations features.
  • Use Organizations master account credentials for the initial configuration.
  • Configure a Microsoft Active Directory in the AWS Directory Service.
  • Ensure that the Active Directory resides in the US-East-1 Region.

AWS CLI Access

You can sign in to the AWS SSO user portal with your existing corporate credentials and receive all AWS CLI credentials for your AWS accounts from a central location. These AWS CLI credentials automatically expire after 60 minutes to prevent unauthorized access to AWS accounts.

Management with AWS Organizations

AWS SSO enables management of SSO access and user permissions for your AWS accounts managed through AWS Organizations. Additional setup in the individual accounts is not required. AWS SSO automatically configures and maintains the necessary permissions in your accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements.

AWS SSO records all user portal sign-in activities in AWS CloudTrail, providing visibility into data, such as which users accessed specific accounts and applications from the user portal. AWS SSO records details, including IP address, user name, date, and time of the sign-in request. Changes made by administrators in the AWS SSO console are also recorded in CloudTrail.

Integration with Microsoft Active Directory

AWS SSO integrates with Microsoft Active Directory through the Directory Service, enabling you to sign in to the user portal using your Active Directory credentials. With the Active Directory integration, you can manage SSO access to your accounts and applications for users and groups in your corporate directory. For instance, when you add DevOps Active Directory users to your production AWS group, you are granted access to your production AWS accounts automatically. This makes it easier to onboard new users and gives existing users SSO access so that they can quickly access new accounts and applications.

Figure 10.1 shows the various AWS SSO options.

The figure shows the various AWS SSO options.

Figure 10.1 AWS SSO use cases model

AWS Security Token Service

AWS Security Token Service (AWS STS) creates temporary security credentials and provides trusted users with those temporary security credentials. The trusted users then access AWS resources with those credentials. Temporary security credentials work similarly to long-term access key credentials, but with the following differences:

  • Temporary security credentials consist of an access key ID, a secret access key, and a security token.
  • Temporary security credentials are short-term, and you configure them to remain valid for a duration between a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.
  • Temporary security credentials are not stored with you; they are generated dynamically and provided to you upon request. You can request new credentials before or after the temporary security credentials expire, if you still have permission to do so.

Because of these differences, temporary credentials offer the following advantages:

  • You do not have to distribute or embed long-term AWS security credentials with an application.
  • You can provide users access to your AWS resources without defining an AWS identity for them. Temporary credentials are the basis for AWS roles and identity federation.
  • The temporary security credentials have a limited lifetime. You do not have to rotate or explicitly revoke them when the user no longer requires them.
  • After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.

AWS STS IdPs come from different sources, including the following:

  • IAM users from another account
  • Microsoft Active Directory
  • Users of IdPs that are SAML 2.0–based
  • Web IdPs
  • Customer identity brokers

Symbol of Note Use Amazon Cognito to authenticate for mobile applications. Amazon Cognito supports the same IdPs as AWS STS. However, it also supports unauthenticated (or guest) access and provides a means for synchronizing user data between multiple devices owned by the same user.

AWS STS supports the following APIs:

  • AssumeRole
  • AssumeRoleWithSAML
  • AssumeRoleWithWebIdentity
  • DecodeAuthorizationMessage
  • GetCallerIdentity
  • GetFederationToken
  • GetSessionToken

AssumeRole This API provides a set of temporary security credentials to access AWS resources. Use AssumeRole to grant access to existing IAM users who have identities in other AWS accounts. Use this API if you need to support multi-factor authentication (MFA). By default, the maximum duration of the credentials that this API issues is 60 minutes.

Symbol of Note The default maximum duration for AssumeRole APIs is 60 minutes. However, you can change the maximum duration to 12 hours (720 minutes) for a specific role.

AssumeRoleWithSAML AssumeRoleWithSAML provides a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) to access AWS resources. Use this API when you are using an identity store or directory that is SAML-based, rather than having an identity from an IAM user in another AWS account. This API does not support MFA.

AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity provides a set of temporary security credentials that you use to access AWS resources. Use this API when users have been authenticated in a mobile or web application with a web IdP, such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OIDC-compatible identity provider. This API does not support MFA.

DecodeAuthorizationMessage DecodeAuthorizationMessage decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. The message is encoded to prevent the requesting user from seeing details of the authorization status, which can contain privileged information.

The decoded message includes the following:

  • Whether the request was denied because of an explicit deny or because of the absence of an explicit allow
  • Principal who made the request
  • Requested action
  • Requested resource
  • Values of condition keys in the context of the user’s request

GetCallerIdentity The GetCallerIdentity API returns details about the IAM identity whose credentials call the API.

GetFederationToken The GetFederationToken API provides a set of temporary security credentials to access AWS resources. For example, a typical use is within a proxy application that retrieves temporary security credentials on behalf of distributed applications inside a corporate network.

The permissions for the temporary security credentials returned by GetFederationToken are a combination of the policy or policies that are attached to the IAM user, whose credentials call the GetFederationToken, and the policy passes as a parameter in the call.

Because the call for the GetFederationToken action uses the long-term security credentials of an IAM user, this call is appropriate in contexts where credentials can be safely stored. The API credentials can have a duration of up to 36 hours. This API does not support MFA.

Symbol of Tip Remember that the most restrictive policy is the one enforced. So, if you have a user who has a policy that ALLOWS access to an API, but a policy is passed as a parameter that DENIES access to that API, the result is a DENY.

GetSessionToken GetSessionsToken provides a set of temporary security credentials to access AWS resources. You normally use GetSessionToken to enable MFA to protect programmatic calls to specific AWS APIs like Amazon EC2 StopInstances.

MFA-enabled IAM users call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that return from the call, IAM users can then make programmatic calls to APIs that require MFA authentication.

Amazon Cognito

Amazon Cognito is a service that allows you to manage sign-in and permissions for mobile and web applications through two services: Amazon Cognito Sync store and Amazon Cognito Sync.

With Amazon Cognito Sync store, you can authenticate users using third-party social identity providers or create your own identity store. With Amazon Cognito Sync, you can synchronize identities across multiple devices and the web.

By using Amazon Cognito, you can grant users access to AWS resources without having to embed AWS credentials into the web or mobile application. Amazon Cognito integrates with AWS STS to identify the user and give the user a consistent identity throughout the lifetime of an application, even if the device is offline or the user is accessing the application on a different device. Amazon Cognito is a managed service, providing scaling, redundancy, and high availability. You provide authentication with Amazon Cognito in one of three ways:

  • Your own identity store
  • Social identity providers such as Amazon or Facebook
  • SAML-based identity solutions

Amazon Cognito provides a variety of mechanisms to secure the application. You can configure guest access, multi-factor authentication, and confirmation of account with Short Message Service (SMS) or email, among other mechanisms. Amazon Cognito integrates with AWS CloudTrail to track creations, deletions, and configuration changes. You can also use Amazon CloudWatch alarms to monitor for a specific activity and receive Amazon Simple Notification Service (Amazon SNS) or email notifications, if that activity occurs.

Amazon Cognito uses identity for user pools and identity pools. You use Amazon Cognito to access the AWS Management Console, AWS CLI, and AWS SDKs.

Microsoft Active Directory as Identity Provider

Many enterprises already use Microsoft Active Directory as their identity store. Integrating Active Directory, rather than configuring a new identity store, simplifies administrative overhead. AWS Managed Microsoft AD provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory with other AWS services.

Directories store information about users, groups, and devices, which administrators use to manage access to information and resources. AWS Directory Service provides multiple directory choices for customers who want to use an existing Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

There are four different ways to implement Microsoft Active Directory in an AWS infrastructure.

  • Run Microsoft Active Directory on Amazon EC2 with an AWS account.
  • Use Active Directory Connector (AD Connector) to connect AWS services with an on-premises Microsoft Active Directory.
  • Create a Simple Active Directory (Simple AD) that provides basic Active Directory compatibility.
  • Deploy AWS Managed Microsoft AD.

Symbol of Tip AWS publishes a number of Quick Start reference deployment guides, including a deployment guide for Active Directory Domain Services. For more information, see https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/youlcome.html.

Microsoft Active Directory on Amazon EC2 with AWS Account

AWS provides a comprehensive set of services and tools for deploying Microsoft Windows–based workloads in its secure cloud infrastructure. Active Directory Domain Services (AD DS) and Domain Name System (DNS) are core Windows services that provide the foundation for many enterprise-class Microsoft-based solutions, including Microsoft SharePoint, Microsoft Exchange, and .NET applications.

When deploying AD DS on Amazon EC2, you are responsible for deploying in a highly available configuration. You are also responsible for verifying that AD DS is backed up and configured in a fault-tolerant mode. Microsoft Active Directory deploys either as a primary or secondary domain controller, and you can choose to use Amazon Machine Images (AMI) or import your own virtual machine images.

Active Directory Connector

Active Directory Connector (AD Connector) connects your existing on-premises Microsoft Active Directory with compatible AWS applications. AWS-compatible applications include Amazon WorkSpaces, Amazon QuickSight, Amazon WorkMail, and Amazon EC2 for Windows Server instances, among others. With AD Connector acting as a proxy service, you can add a service account to your Active Directory, and AD Connector eliminates the need for directory synchronization or the cost and complexity of hosting a federation infrastructure.

When you add users to AWS applications, AD Connector reads your existing Active Directory to create lists of users and groups from which to select. When users sign in to the AWS applications, AD Connector forwards sign-in requests to your on-premises Active Directory domain controllers for authentication.

Symbol of Note AD Connector is not compatible with Amazon Relational Database Service (Amazon RDS) SQL Server.

Management of your Active Directory does not change; you add new users and groups and update passwords using the standard Active Directory administration tools in your on-premises Active Directory. This helps you to consistently enforce your security policies, such as password expiration, password history, and account lockouts, regardless of whether users are accessing resources on-premises or on the AWS Cloud.

AD Connector enables you to access the AWS Management Console and manage AWS resources by signing in with your existing Active Directory credentials. AD Connector is not compatible with Amazon RDS for SQL Server.

You can use the AD Connector to enable MFA for your AWS application users by connecting it to your existing RADIUS-based MFA infrastructure. This provides an additional layer of security when users access AWS applications.

Simple Active Directory

Simple Active Directory (Simple AD) is a Microsoft Active Directory that is compatible with AWS Directory Service and is powered by Samba 4. Simple AD is a standalone directory in the cloud, where you create and manage identities and manage access to applications. You can use many familiar Active Directory–aware applications and tools that require basic Active Directory features.

Simple AD supports basic Active Directory features such as user accounts, group memberships, memberships for a Linux domain or Windows-based Amazon EC2 instances, Kerberos-based SSO, and group policies. However, Simple AD does not support trust relationships, DNS dynamic update, schema extensions, MFA, communication over LDAPs, PowerShell Active Directory cmdlets, or Flexible Single Master Operation (FSMO) role transfer. In addition, Simple AD is not compatible with RDS SQL Server.

Simple AD is compatible with the following AWS applications: Amazon WorkSpaces, WorkDocs, Amazon QuickSight, and WorkMail. You can sign in to the AWS Management Console and manage AWS resources with Simple AD user accounts.

AWS Managed Microsoft AD

AWS Managed Microsoft AD is an actual Microsoft Windows Server Active Directory, managed by AWS in the AWS Cloud. It enables you to migrate a broad range of Active Directory–aware applications to the AWS Cloud. AWS Managed Microsoft AD works with Microsoft SharePoint, Microsoft SQL Server Always-On Availability Groups, and many .NET applications.

Figure 10.2 illustrates Directory Service and its relation to AWS applications and services: Amazon EC2, Active Directory–aware workloads, cloud applications, and on-premises Active Directory.

The figure shows AWS Directory Service chart.

Figure 10.2 AWS Directory Service chart

Directory Service includes key features that enable you to extend your schema, manage password policies, and enable secure LDAP communications through Secure Socket Layer (SSL)/Transport Layer Security (TLS). The service is approved for applications in the AWS Cloud that are subject to the United States Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS) compliance when you enable compliance for your directory.

You can add users and groups to AWS Managed Microsoft AD and administration to group policies using familiar Active Directory tools. You scale the directory by deploying additional domain controllers and improve performance by distributing requests across a larger number of domain controllers.

AWS provides monitoring, daily snapshots, and recovery as part of the service. You can connect AWS Managed Microsoft AD with a trust and use credentials to an Active Directory running on-premises. Trust relationship support includes one-way (both in and out) and two-way.

AWS Managed Microsoft AD can support AWS managed applications and services, including Amazon WorkSpaces, WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon RDS for SQL Server.

Summary

This chapter discussed the concepts of identity and authorization and how you can use AWS services to provide them. You learned that identity and authorization can operate at different planes of access—the control plane and the data plane. You also learned that these planes differ in terms of paths used, protocols configured, services managed, and credentials deployed.

In addition, you learned about the various AWS services and where you use identity and authorization, including the following:

  • AWS SSO
  • AWS STS
  • Amazon Cognito
  • AWS Managed Microsoft AD

Exam Essentials

Understand what federation is. Know the difference between federation and SSO. Understand when you would use federation and when you would use SSO.

Understand the role of an identity provider (IdP). Know what an IdP does, how it operates, and how it interacts with an identity consumer.

Know the different federation services that AWS offers. Understand which services act as IdPs, which act as identity consumers, and which act as SSO.

Understand AWS Directory Service options. Know the use cases for Microsoft Active Directory, Cloud Directory, and Amazon Cognito.

Understand how policies work. Know the structure of policies and how to apply them.

Recognize the role of policies in controlling access to AWS resources. Know how to use AWS services to control access to non-AWS resources and how to use non-AWS services to control access to AWS resources.

Understand the difference between the data plane and control plane with regard to protocols and commands. Know how AWS STS and AWS SSO work and how to implement these services.

Resources to Review

Exercises

Exercise 10.4

Setting Up Amazon Cognito

In this exercise, you will set up Amazon Cognito, which is the service that provides authentication, authorization, and user management for web and mobile applications.

The two main components of Amazon Cognito are user pools and identity pools. User pools is a user directory that provides sign-up and sign-in services. Identity pools are used to provide access to other AWS services.

You can use identity pools and user pools separately or together. In this exercise, you will set up a user pool.

  1. In the AWS Directory Services console navigation pane, under Security, Identity & Compliance, choose Cognito and then choose Manage User Pools.
  2. Provide a name for your user pool. Enter admin-group.
  3. Specify how a user signs in. In this example, select user name, and then choose Next step.
  4. Retain the default settings and choose Next step.

  • You can set MFA as optional or required. After a user pool is configured, you cannot change the MFA setting. Amazon Cognito uses Amazon SNS to send SMS messages. If MFA is enabled, you must assign a role with the correct policy to send SMS messages.

  1. Retain the default settings and choose Next step.
  2. On the Attributes page, retain the default settings for email customization, and choose Next step.
  3. To manage the AWS infrastructure, apply tags. Enter the following information, and then choose Next step:
    1. In Tag Key, enter user
    2. In Tag Value, enter admin-user.
  4. Select No and choose Next step.

  • Amazon Cognito can detect and retain your user’s device. This step enables you to configure that capability. In this example, however, you will select No. Choose Next step.

  1. Retain the default settings and choose Next step.

  • You can configure how client applications gain access to the user pool. In this exercise, no access is granted.

  1. Retain the default settings and choose Next step.

  • You can configure AWS Lambda functions that can be triggered during the Amazon Cognito operation. For this exercise, you will not configure any Lambda functions.

  1. On the Review page, review your configurations, and choose Create pool.

    You have successfully created a user pool in Amazon Cognito.

Review Questions

  1. You need to grant a user, who is outside your AWS account, access to an object in an Amazon Simple Storage Service (Amazon S3) bucket. Which is the best way to provide access?

    1. Create a role and assign that role to the user.
    2. Create a user ID within Identity and Access Management (IAM) and assign the user ID a policy that allows access.
    3. Create a new AWS account, assign that user to the account, and then give the account cross-account access.
    4. Have the user create a user ID using a third-party identity provider (IdP), and based on that user ID, assign a policy that permits access.

  2. Which of the following is the purpose of an identity provider (IdP)?

    1. To control access to applications
    2. To control access to the AWS infrastructure
    3. To minimize the opportunity to assign the incorrect policy
    4. To answer the question “Who are you?”

  3. Which of the following is the best way to minimize misuse of AWS credentials?

    1. Set up multi-factor authentication (MFA).
    2. Embed the credentials in the bastion host and control access to the bastion host.
    3. Put a condition on all of your policies that allows execution only from your corporate IP range.
    4. Make sure that you have a limited number of credentials and limit the number of people that can use them.

  4. Which of the following is not a valid identity provider (IdP) for Amazon Cognito?

    1. Google
    2. Microsoft Active Directory
    3. Your own identity store
    4. A Security Assertion Markup Language (SAML) 1.0–based IdP

  5. Which of the following is one benefit of using AWS as an identity provider (IdP) to access non-AWS resources?

    1. AWS cannot be used as an IdP for non-AWS services.
    2. Using AWS as an IdP allows you to use Amazon CloudWatch to monitor activity.
    3. Using AWS as an IdP allows you to use AWS CloudTrail to audit who is using the service.
    4. Using AWS as an IdP allows you to assign policies to non-AWS resources.

  6. Which of the following are benefits from using the Active Directory Connector (AD Connector)? (Select TWO.)

    1. Easy setup
    2. Ability to connect to multiple Active Directory domains with a single connection
    3. Ability to configure changes to Active Directory on your existing Active Directory console
    4. Ability to support authentication to non-AWS services

  7. Which of the following is a prerequisite for using AWS Single Sign-On (AWS SSO)?

    1. Set up AWS Organizations and enable all features.
    2. Make sure that your identity provider (IdP) is Security Assertion Markup Language (SAML) 2.0 compatible.
    3. Deploy AWS Simple Active Directory (Simple AD).
    4. Deploy Amazon Cognito.

  8. AWS Security Token Service (AWS STS) supports a number of different tokens.

    Which token would you use to establish a longer-term session?

    1. AssumeRole
    2. GetUserToken
    3. GetFederationToken
    4. GetSessionToken

  9. Which of the following is not a service that AWS Managed Microsoft AD provides?

    1. Daily snapshots
    2. Ability to manage the Amazon Elastic Compute Cloud (Amazon EC2) instances that AWS Managed Microsoft AD is running on
    3. Monitoring
    4. Ability to sync with on-premises Active Directory

  10. You are using an existing RADIUS-based multi-factor authentication (MFA) infrastructure.

    Which AWS service is your best choice?

    1. Active Directory Connector (AD Connector)
    2. AWS Managed Microsoft AD
    3. Simple Active Directory (Simple AD)
    4. No AWS service would be suitable.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset