AWS Cloud Developer Associate Certification

Cognito:Cognito User pools ,Cognito Identity pools ,Cognito Sync


Cognito User Pools

  1. We want to give our users an identity so that they can interact with our application.
  2. Cognito UserPool
    1. Sign in functionality for app users
    2. Integrate with API Gateway & Application Load Balancer
  3. Cognito Identity Pools (Federated Identity):
    1. Provide AWS credentials to users so they can access AWS resources directly
    2. Integrate with Cognito User Pools as an identity provider
  4. Cognito Sync:
    1. Synchronize data from device to Cognito
    2. Is deprecated and replaced by AppSync
  5. Cognito vs IAM: “hundreds of users”, ”mobile users”, “authenticate with SAML”

Cognito User Pools (CUP) – User Features

  1. Create a serverless database of user for your web & mobile apps
  2. Simple login: Username (or email) / password combination
  3. Password reset
  4. Email & Phone Number Verification
  5. Multi-factor authentication (MFA
  6. Federated Identities: users from Facebook, Google, SAML
  7. Feature: block users if their credentials are compromised elsewhere
  8. Login sends back a JSON Web Token (JWT)

Cognito User Pools (CUP) – Integrations

  1. CUP integrates with API Gateway and Application Load Balancer

Cognito User Pools – Lambda Triggers

  1. CUP can invoke a Lambda function synchronously on these triggers
User Pool FlowOperationDescription
Authentication
Events		– Pre Authentication Lambda Trigger
– Post Authentication Lambda Trigger
– Pre Token Generation Lambda Trigger		– Custom validation to accept or deny the sign-in request
– Event logging for custom analytics
– Augment or suppress token claims
Sign-Up– Pre Sign-up Lambda Trigger
– Post Confirmation Lambda Trigger
– Migrate User Lambda Trigger		– Custom validation to accept or deny the sign-up
request
-Custom welcome messages or event logging for
custom analytics
– Migrate a user from an existing user directory to user
pools
MessagesCustom Message Lambda TriggerAdvanced customization and localization of messages
Token CreationPre Token Generation Lambda TriggerAdd or remove attributes in Id tokens

Cognito User Pools – Hosted Authentication UI

  1. Cognito has a hosted authentication UI that you can add to your app to handle signup and sign-in workflows
  2. Using the hosted UI, you have a foundation for integration with social logins, OIDC or SAML
  3. Can customize with a custom logo and custom CSS

Cognito Identity Pools

  1. Get identities for “users” so they obtain temporary AWS credentials
  2. Your identity pool (e.g identity source) can include:
    1. Public Providers (Login with Amazon, Facebook, Google, Apple)
    2. Users in an Amazon Cognito user pool
    3. OpenID Connect Providers & SAML Identity Providers
    4. Developer Authenticated Identities (custom login server
    5. Cognito Identity Pools allow for unauthenticated (guest) access
  3. Users can then access AWS services directly or through API Gateway
    1. The IAM policies applied to the credentials are defined in Cognito
    2. They can be customized based on the user_id for fine grained control

Cognito Identity Pools – Diagram with CUP

Cognito Identity Pools – Diagram with CUP

Cognito Identity Pools – IAM Roles

  1. Default IAM roles for authenticated and guest users
  2. Define rules to choose the role for each user based on the user’s ID
  3. You can partition your users’ access using policy variables
  4. IAM credentials are obtained by Cognito Identity Pools through STS
  5. The roles must have a “trust” policy of Cognito Identity Pools
Cognito Identity Pools – Guest User example
Cognito Identity Pools – Policy variable on S3
Cognito Identity Pools – DynamoDB

Cognito User Pools vs Cognito Identity Pools

  1. Cognito User Pools
    1. Database of users for your web and mobile application
    2. Allows to federate logins through Public Social, OIDC, SAML
    3. Can customize the hosted UI for authentication (including the logo)]
    4. Has triggers with AWS Lambda during the authentication flow
  2. Cognito Identity Pools
    1. Obtain AWS credentials for your users
    2. Users can login through Public Social, OIDC, SAML & Cognito User Pools
    3. Users can be unauthenticated (guests
    4. Users are mapped to IAM roles & policies, can leverage policy variables
  3. CUP + CIP = manage user / password + access AWS services

Cognito Sync

  1. Deprecated – use AWS AppSync now
  2. Store preferences, configuration, state of app
  3. Cross device synchronization (any platform – iOS, Android, etc…)
  4. Offline capability (synchronization when back online)
  5. Store data in datasets (up to 1MB), up to 20 datasets to synchronize
  6. Push Sync: silently notify across all devices when identity data changes
  7. Cognito Stream: stream data from Cognito into Kinesis
  8. Cognito Events: execute Lambda functions in response to events
Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7, Page 8, Page 9, Page 10, Page 11, Page 12, Page 13, Page 14, Page 15, Page 16, Page 17, Page 18, Page 19, Page 20, Page 21, Page 22, Page 23

Published by

Unknown's avatar

sevanand yadav

software engineer working as web developer having specialization in spring MVC with mysql,hibernate

Leave a comment