PartnerCast Security Series - Amazon Cognito (1)

SECURITY SERIES - AMAZON COGNITO
Security Series
Amazon Cognito
Brad Burnett, Edward Sun, Serge Moro
Wed May 22
© 2024, Amazon Web

© 2024,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc.
All or
rights
its affiliates.
reserved.All
Amazon
rights Confidential
reserved. Amazon
and Trademark.
Confidential and Trademark.
Identity Standards
AWS Identity vs Application Identity
Introduction to Amazon Cognito
Agenda Key Features, Primary Use-Cases & Demo
How to get started + Resources
Live “Ask me anything” Q&A
Exit Survey
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 2
Identity Standards
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
An abridged history of identity…
Client-
Terminal Server
(PC)
Browser
Federation Portals
Website
2001 1997 1990
OAuth /
OIDC
2007
2014
And it did not start well …

• Multiple Accounts
Alice
• Poor User Experience
• Lack of Centralized Control by the User

Bob
• Promotes Password Re-Use
• No Standardized Interoperability
Charles
• Unproven, Proprietary Security
Dan • Security-Through-Obscurity
• Complex Engineering Onboarding

Eve
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. • Lack of Common Tooling
Granting Access Before Modern Standards
• In the early 2000’s, many new services were being built which exposed APIs allowing
for data sharing between organizations. – e.g. address books, bookkeeping data,
calendar apps
• This was a real thing:
A Better Approach – Centralized AuthNZ
• Improved User Experience

Alice
IdP
• Federated Authentication, Single credential set
Bob • Single Identity / Account
IdP
• Centralized Control by the User
Charles
• Interoperability based on, Open Standards
• Scrutinized Security –
Dan
• Publicly Documented Functionality
IdP
Resources
Providers • Availability of Common Tooling, APIs, SDKs
Eve
• Easier Engineering Onboarding
Standards of Digital Identity

Identity
AWS Standards
SigV4A
mTLS
HTTP
Predicate
TLS
Standards
Strong Cryptography
AWS Identity
…and application identity
There are 3 types of identities and two realms
Workforce Partner Consumer

Identity Identity Identity
Access to AWS infrastructure and resources Access to AWS resources (potentially)
Access to Enterprise Applications Access to Business Applications
AWS Directory AWS IAM AWS Identity and Access Amazon Cognito Amazon
Service Identity Center Management (IAM) Verified Permissions
Realm of AWS deployed

Realm of AWS services
Customer applications
CIAM
A love story…about customers
CIAM vs Workforce IAM

IN A NUTSHELL
Customer IAM Workforce IAM
Source: https://www.ibm.com/in-en/products/verify-saas
AKA: Consumer IAM
CIAM vs Workforce IAM

GARTNER: FEATURES AND MESSAGING
Amazon Cognito
An Overview
Amazon Cognito: Flexible, fully managed application

identity
Flexible, scalable API and SDK support Built-in UI for applications
Java C++ iOS Python

iOS Android
JavaScript PHP Android Golang
.NET Ruby Web SPA
Agile development and integrated

Amazon Cognito Secure and available
customer analytics
Adaptive Compromised MFA 99.9%

Amazon AWS Amplify AWS AuthN password SLA
Pinpoint Studio Amplify database
Extensible AuthN and AuthZ Out-of-the-box support for open Out-of-the-box support for social
standards federation
Google Amazon
AWS AWS Amazon Amazon AWS
Lambda AppSync Verified
Permissions
API WAF
SAML OAuth 2.0 OIDC Facebook Apple
Gateway
Amazon Cognito è Sign upAWS

1-step,
SSO and
AWSome or sign
access
Federation
to CIAM
hub in
create…everything
control
Machine-to-machine authentication
resources
Sign up or sign in (Optionally) federate

1 2
3
Amazon External IdP token
4 Amazon Cognito
Cognito (Identity provider and user repository)
tokens
APIs and microservices

Use tokens for AuthZ
5 (Application load balancer, API gateway,
AWS App Sync) Other
AWS CloudFormation
backend
7 6
Credentials OAuth 2.0 client
Get
temporary credentials
credentials
Access AWS
Amazon Cognito
services
(Credentials broker: Identity pools)
8 using SDK
AWS resources: Amazon SNS,
Amazon DynamoDB, AWS Lambda,
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3
Amazon Cognito: Use cases
B2C customer identity B2B multi-tenant Machine-to-machine AWS credentials

and access applications access broker
management
1. B2C customer identity and access

Company: NHS Country: UK
National Health Service Industry: Healthcare Website: digital.nhs.uk
The National Health Service (NHS) is the United Kingdom’s (UK) publicly funded
healthcare system that everyone living in the UK can use, with no cost at the point
of care. With AWS, NHS Digital launched NHS login, a serverless identity platform,
to facilitate access to a range of healthcare apps for residents in England.
Solution:
The NHS login provides patients with a straightforward, secure, and reusable way The NHS used Amazon Cognito to
to access multiple digital health and care services. quickly sign up and sign in end
users and deployed:
• Health record linking and usage
Total log-ins by Year Statistic Dec. 2020 Dec. 2021
• Integration of likeness, and
800,000,000
Registrations per day 20,000 350,000 liveness checking against
600,000,000
400,000,000 Registered users 3.5 million 38 million

national databases
200,000,000 • Amazon Cognito’s advanced
Authentications per day 125,000 12 million
0 security features to provide
risk-based and adaptive
2018 2019 2020 2021 2022
Authentications per
Total 20 918
second
authentication
COVID pushed load from 20M to 800M logins per year
How Amazon Cognito supports your compliance

mandates
2. B2B multi-tenant applications

Company: Trend Micro Country: USA
Trend Micro Cloud One Industry: IT Security Website: trendmicro.com
Trend Micro, a global cybersecurity leader, helps make the world safe for
exchanging digital information.
The Trend Micro Cloud One platform provides a secure platform for file storage,
application security, containers, network and endpoints, workloads, and open source. Solution:
Trend Micro migrated to Amazon
Trend Micro Cognito as a multi-tenant B2B IdP
Cloud One
and access management solution.
Every customer is enrolled as a
Amazon SES
Pre-sign- Post- separate tenant. Tenant info is
up trigger confirmation
trigger gathered and policies applied
Sync user
data
during login.
Customer Amazon AWS Amazon AWS Lambda Amazon Custom Pre-token Amazon
Route 53 WAF API Proxy Function Cognito message generation DynamoDB
Gateway trigger trigger (global
table)
Enriched Flows / DDOS
Approaches to multi-tenancy in Amazon Cognito

• Expand Amazon Cognito user pool with
Attribute based custom attributes
• Store tenant-related information in user profile
• Create tenant-related groups in Amazon Cognito Pool
Amazon
Group based user pool
Cognito
• Manage tenant membership as other entitlements
based
• Create one application per tenant
Application client based • Use the client information as tenant context for
operations
• Creating dedicated user pool for each tenant Silo

User pool based
• Enforce maximum isolation
More
than • Externalizing the tenant information
Amazon Hybrid
External database based • Separate identity management from tenant
Cognito management
Tenant isolation with Amazon Cognito
Tenant 1 Tenant 2 Tenant 1 Tenant 2
User pool User pool User pool
Custom policies Custom policies Shared policies
Pros Cons Pros Cons

• Separate policies • Mapping required • No mapping • No custom policies
• Better isolation • Scale • Better OAuth flow • Isolation story
• Atypical OAuth flow • Scale (maybe)
3. Machine-to-machine authentication
Company: UnitedHealth Group Country: USA
UnitedHealth Group Industry: Healthcare Website: unitedhealthgroup.com Solution:
UnitedHealth Group (UHG) is a health and well-being company responsible for Amazon Cognito provides machine-
over 150 million people globally. UnitedHealth Group is a health services business to-machine authentication through
the OAuth client credential (CC) flow
serving the healthcare marketplace, including payers, care providers, employers,
within a single AWS Region.
governments, life sciences companies, and consumers. Regional credentials are stored in a
cross-Region database, facilitating a
Region 1 Get Regional access token
2
OAuth client credentials global deployment with Regional
partitioning.
Amazon 4
Cognito
Amazon Amazon API AWS Lambda Token
Client
Route 53 Gateway Authorization validation
application
Get Regional Get resource

1
credentials with access 3
token
Amazon DynamoDB Application
Region 2 Cross Region

replication
4. Cognito credential broker (access to Amazon

resources)
Company: College Board Country: USA
Industry: Education Website: collegeboard.org Solution:
Founded in 1899, College Board is a nonprofit focused on expanding access to The Amazon Cognito credential
higher education. By creating the advanced placement (AP) program and the SAT, broker (Amazon Cognito identity
pool) provided temporary access
College Board raised the bar on college readiness and continues to play a role in
tokens to internal services based on
the college admissions process. a user’s role. When a student logs
into the service and attempts to
access protected files on an Amazon
Get resource (user
credentials) 2 S3 bucket or on DynamoDB,
Amazon Cognito issues temporary
Amazon S3 Amazon credentials to provide access.
DynamoDB
Assume role
Amazon API AWS Lambda
Gateway user credential student
broker
Amazon Cognito
professional
Identity Pool
1
Get Regional
credentials
User Pools
More than a cloud directory
Managed user directory
Serverless directory
• Nothing to manage
• API driven
• Multi-AZ redundancy
User and group storage

• Profile information (name, email, and more)
• Credential and device information (SRP verifier, MFA, and more)
• Extensible with custom attributes
Comprehensive user flows
User sign-up and sign-in User profile data Forgotten password
Allow users to sign up and sign in using an email, Allow users to view and update their profile Provide users the ability to change their
phone number, or username (and password) for data, including custom attributes password when they forget it with a one-time
your application. password challenge
Token-based Email or phone number SMS multifactor

authentication verification authentication
Use JSON Web Tokens (JWTs) based on OpenID Require users to verify their email address or Require users to complete a second factor of
Connect (OIDC) and OAuth 2.0 standards for phone number prior to activating their account authentication by inputting a security code
user authentication in your backend with a one-time password challenge received by SMS as part of the sign-in flow
Additional notable features
MFA options Advanced security Migration options

SMS and time-based features Batch and just-in-time
one-time password Compromised
(TOTP) credentials, adaptive
authentication, security
reporting
Importing existing users
Batch imports One-at-a-time migration

• Import users by uploading .csv files • AWS Lambda trigger integrates
migration into the sign-in workflow
• Users create a new password when
and retains existing passwords
they first sign in
Prior
IdP
Sign in
Username
Password
Submit
AWS Amplify: Straightforward, secure, scalable

authentication
Drop-in UI Components
• Built-in UI for sign-up, sign-out, and other common
authentication workflows
• Styled experience out of the box
• Flexible and customizable
• Multi-factor authentication
Libraries
• Out-of-the-box social login functionality: Facebook, Google, or
Amazon
• Automatic integration with existing Amazon Cognito resources
• Custom authentication flow: Captcha
Build with NEW AWS Amplify Studio

CREATE A FRONTEND UI VISUALLY
• Saves time
• Minimizes coding
• Fully customizable
Improves designer and
Figma developer collaboration
Pixel-perfect designs with less coding

Choose from dozens Import US designs from Figma Maintain full control over code
of UI components as clean React code
Amazon Pinpoint and Amazon Cognito integration
Integration
Amazon Pinpoint Amazon Cognito
Enriches user data for Amazon Pinpoint campaigns
Provides analytics for Amazon Cognito user pool activities
Demo
Audience Poll!
Vote for the next AWS Security
service you’d like to dive deep on!
Call to Action / Additional Resources
AWS Masterclass: AWS Masterclass:

Build a CIAM Managing
Solution in Under Customer Identity
One Hour for your at Scale: Strategies
Customer-Facing and Lessons from
Applications NHS Login
Help Us Improve Our Sessions & Delivery!

Feedback helps us plan upcoming PartnerCast sessions, modify content & become better
presenters.
Scan QR code to leave feedback now:
You will also be automatically re-directed at the end of the webinar to the feedback survey!
“Ask us anything” – Live Q&A
Thank you!
https://aws.amazon.com/partners/training/partnercast/
© 2024, Amazon Web

© 2024,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc.
All or
rights
its affiliates.
reserved.All
Amazon
rights Confidential
reserved. Amazon
and Trademark.
Confidential and Trademark.

PartnerCast Security Series - Amazon Cognito (1)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PartnerCast Security Series - Amazon Cognito (1)

Uploaded by

Copyright:

Available Formats

SECURITY SERIES - AMAZON COGNITO

Brad Burnett, Edward Sun, Serge Moro

© 2024, Amazon Web

AWS Identity vs Application Identity

Introduction to Amazon Cognito

Agenda Key Features, Primary Use-Cases & Demo

How to get started + Resources

Live “Ask me anything” Q&A

An abridged history of identity…

2001 1997 1990

And it did not start well …

• Lack of Centralized Control by the User

• Unproven, Proprietary Security

• Complex Engineering Onboarding

Granting Access Before Modern Standards

• This was a real thing:

A Better Approach – Centralized AuthNZ

• Improved User Experience

Bob • Single Identity / Account

Standards of Digital Identity

There are 3 types of identities and two realms

Workforce Partner Consumer

Access to AWS infrastructure and resources Access to AWS resources (potentially)

Access to Enterprise Applications Access to Business Applications

Realm of AWS deployed

CIAM vs Workforce IAM

Customer IAM Workforce IAM

CIAM vs Workforce IAM

Amazon Cognito: Flexible, fully managed application

Java C++ iOS Python

Agile development and integrated

Adaptive Compromised MFA 99.9%

Amazon Cognito è Sign upAWS

Sign up or sign in (Optionally) federate

APIs and microservices

Amazon Cognito: Use cases

B2C customer identity B2B multi-tenant Machine-to-machine AWS credentials

1. B2C customer identity and access

400,000,000 Registered users 3.5 million 38 million

How Amazon Cognito supports your compliance

2. B2B multi-tenant applications

Enriched Flows / DDOS

Approaches to multi-tenancy in Amazon Cognito

• Creating dedicated user pool for each tenant Silo

Tenant isolation with Amazon Cognito

Tenant 1 Tenant 2 Tenant 1 Tenant 2

User pool User pool User pool

Custom policies Custom policies Shared policies

Pros Cons Pros Cons

Get Regional Get resource

Region 2 Cross Region

4. Cognito credential broker (access to Amazon

Managed user directory

User and group storage

Comprehensive user flows

User sign-up and sign-in User profile data Forgotten password

Token-based Email or phone number SMS multifactor

Additional notable features

MFA options Advanced security Migration options

Importing existing users

Batch imports One-at-a-time migration

AWS Amplify: Straightforward, secure, scalable

Build with NEW AWS Amplify Studio

Improves designer and