Professional Documents
Culture Documents
PartnerCast Security Series - Amazon Cognito (1)
PartnerCast Security Series - Amazon Cognito (1)
Security Series
Amazon Cognito
Wed May 22
Identity Standards
Exit Survey
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 2
SECURITY SERIES - AMAZON COGNITO
Identity Standards
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Client-
Terminal Server
(PC)
Browser
Federation Portals
Website
OAuth /
OIDC
2007
2014
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Alice
• Poor User Experience
• No Standardized Interoperability
Charles
Dan • Security-Through-Obscurity
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. • Lack of Common Tooling
SECURITY SERIES - AMAZON COGNITO
• In the early 2000’s, many new services were being built which exposed APIs allowing
for data sharing between organizations. – e.g. address books, bookkeeping data,
calendar apps
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
IdP
• Centralized Control by the User
Charles
• Interoperability based on, Open Standards
• Scrutinized Security –
Dan
• Publicly Documented Functionality
IdP
Resources
Providers • Availability of Common Tooling, APIs, SDKs
Eve
• Easier Engineering Onboarding
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
HTTP
Predicate
TLS
Standards
Strong Cryptography
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
AWS Identity
…and application identity
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
AWS Directory AWS IAM AWS Identity and Access Amazon Cognito Amazon
Service Identity Center Management (IAM) Verified Permissions
CIAM
A love story…about customers
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Source: https://www.ibm.com/in-en/products/verify-saas
AKA: Consumer IAM
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 13
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 14
SECURITY SERIES - AMAZON COGNITO
Amazon Cognito
An Overview
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Extensible AuthN and AuthZ Out-of-the-box support for open Out-of-the-box support for social
standards federation
Google Amazon
AWS AWS Amazon Amazon AWS
Lambda AppSync Verified
Permissions
API WAF
SAML OAuth 2.0 OIDC Facebook Apple
Gateway
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 16
SECURITY SERIES - AMAZON COGNITO
AWS CloudFormation
backend
7 6
Credentials OAuth 2.0 client
Get
temporary credentials
credentials
Access AWS
Amazon Cognito
services
(Credentials broker: Identity pools)
8 using SDK
AWS resources: Amazon SNS,
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Amazon DynamoDB, AWS Lambda,
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 18
SECURITY SERIES - AMAZON COGNITO
The National Health Service (NHS) is the United Kingdom’s (UK) publicly funded
healthcare system that everyone living in the UK can use, with no cost at the point
of care. With AWS, NHS Digital launched NHS login, a serverless identity platform,
to facilitate access to a range of healthcare apps for residents in England.
Solution:
The NHS login provides patients with a straightforward, secure, and reusable way The NHS used Amazon Cognito to
to access multiple digital health and care services. quickly sign up and sign in end
users and deployed:
• Health record linking and usage
Total log-ins by Year Statistic Dec. 2020 Dec. 2021
• Integration of likeness, and
800,000,000
Registrations per day 20,000 350,000 liveness checking against
600,000,000
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 19
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Trend Micro, a global cybersecurity leader, helps make the world safe for
exchanging digital information.
The Trend Micro Cloud One platform provides a secure platform for file storage,
application security, containers, network and endpoints, workloads, and open source. Solution:
Trend Micro migrated to Amazon
Trend Micro Cognito as a multi-tenant B2B IdP
Cloud One
and access management solution.
Every customer is enrolled as a
Amazon SES
Pre-sign- Post- separate tenant. Tenant info is
up trigger confirmation
trigger gathered and policies applied
Sync user
data
during login.
Customer Amazon AWS Amazon AWS Lambda Amazon Custom Pre-token Amazon
Route 53 WAF API Proxy Function Cognito message generation DynamoDB
Gateway trigger trigger (global
table)
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 21
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 23
SECURITY SERIES - AMAZON COGNITO
3. Machine-to-machine authentication
Company: UnitedHealth Group Country: USA
UnitedHealth Group Industry: Healthcare Website: unitedhealthgroup.com Solution:
UnitedHealth Group (UHG) is a health and well-being company responsible for Amazon Cognito provides machine-
over 150 million people globally. UnitedHealth Group is a health services business to-machine authentication through
the OAuth client credential (CC) flow
serving the healthcare marketplace, including payers, care providers, employers,
within a single AWS Region.
governments, life sciences companies, and consumers. Regional credentials are stored in a
cross-Region database, facilitating a
Region 1 Get Regional access token
2
OAuth client credentials global deployment with Regional
partitioning.
Amazon 4
Cognito
Amazon Amazon API AWS Lambda Token
Client
Route 53 Gateway Authorization validation
application
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 24
SECURITY SERIES - AMAZON COGNITO
Assume role
Amazon API AWS Lambda
Gateway user credential student
broker
Amazon Cognito
professional
Identity Pool
1
Get Regional
credentials
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 25
SECURITY SERIES - AMAZON COGNITO
User Pools
More than a cloud directory
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Serverless directory
• Nothing to manage
• API driven
• Multi-AZ redundancy
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 27
SECURITY SERIES - AMAZON COGNITO
Allow users to sign up and sign in using an email, Allow users to view and update their profile Provide users the ability to change their
phone number, or username (and password) for data, including custom attributes password when they forget it with a one-time
your application. password challenge
Use JSON Web Tokens (JWTs) based on OpenID Require users to verify their email address or Require users to complete a second factor of
Connect (OIDC) and OAuth 2.0 standards for phone number prior to activating their account authentication by inputting a security code
user authentication in your backend with a one-time password challenge received by SMS as part of the sign-in flow
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 28
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 29
SECURITY SERIES - AMAZON COGNITO
Prior
IdP
Sign in
Username
Password
Submit
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 30
SECURITY SERIES - AMAZON COGNITO
Libraries
• Out-of-the-box social login functionality: Facebook, Google, or
Amazon
• Automatic integration with existing Amazon Cognito resources
• Custom authentication flow: Captcha
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
• Saves time
• Minimizes coding
• Fully customizable
Integration
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
Demo
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 36
SECURITY SERIES - AMAZON COGNITO
Audience Poll!
Vote for the next AWS Security
service you’d like to dive deep on!
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 37
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
SECURITY SERIES - AMAZON COGNITO
You will also be automatically re-directed at the end of the webinar to the feedback survey!
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 39
SECURITY SERIES - AMAZON COGNITO
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 40
SECURITY SERIES - AMAZON COGNITO
Thank you!
https://aws.amazon.com/partners/training/partnercast/