Federation
- SAML2.0 Federation
- Set up trust between IAM and SAML20 provider (e.g. ADFS)
- Custom
- Authenticate through a custom identity provider
- The custom identity provider will use AssumeRole or GetFederationToken to get a token
- The token is passed to the client for use
- Web Identity Federation
- Authenticate through a public identity provider (e.g. Facebook, Google)
- The client will receive a JWT which will be exchanged for an STS token through the API AssumeRoleWithWebIdentity
- Using AWS Cognito
- Authenticate through a public identity provider, Cognito User Pool, SAM, OpenID
- The client will receive a token and will ask Cognito Federated Identity to exchange for an STS token.
- Behind the scene, Cognito Federated Identity will verify the token with the IDP. If ok then will call STS to generate an STS token.
- Cognito User Pool – a user directory. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
- Cognito Identity Pool – used to obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:
Microsoft AD
- Managed AD
- AD in AWS and managed by AWS
- AD Connector
- A Proxy service.
- Direct traffic from AWS to on-premise AD
- Simple AD
- An AWS service that supports the AD protocol. Powered by a Samba 4 Active Directory Compatible Server
- Powered by
- Provides a subset of the capabilities offered by Microsoft Active Directory
- Cannot join to on-premise AD.
Organizational Unit (OU)
- Management Account or Master Account ( the account in the root) has not SCP
Resource Access Manager
- Securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types. You can use AWS RAM to share transit gateways, subnets, AWS License Manager license configurations, Amazon Route 53 Resolver rules, and more resource types.
Cognito
- Cognito User Pools(CUP)
- Primarily for authentication (AuthN) or an IDP
- User directory or database of users.
- Provide the following services:
- sign-up and sign-in
- customizable login
- social login – federation with other IDP (SAML or OIDC)
- MFA
- trigger Lambda functions according to certain events (e.g. pre-authentication, post authentication)
- Hosted Authentication UI
- Can customize logo and CSS
- Native integration with API Gateway and ALB
- Returns a JWT to the client
- Authentication Flow:
- The client authenticates through CUP.
- CUP returns a JWT.
- The client sends the JWT to the service provider.
- The service provider validates the JWT with CUP
- Lambda Triggers:
- Activate the Lambda function during user pool operations such as user sign-up, confirmation, and sign-in (authentication)
- AWS Services with CUP integration:
- API Gateway
- ALB
| User Pool Flow | Operation | Description |
|---|---|---|
| Custom Authentication Flow | Define Auth Challenge | Determines the next challenge in a custom auth flow |
| Create Auth Challenge | Creates a challenge in a custom auth flow | |
| Verify Auth Challenge Response | Determines if a response is correct in a custom auth flow | |
| Authentication Events | Pre authentication Lambda trigger | Custom validation to accept or deny the sign-in request |
| Post authentication Lambda trigger | Logs events for custom analytics | |
| Pre token generation Lambda trigger | Augments or suppresses token claims | |
| Sign-Up | Pre sign-up Lambda trigger | Performs custom validation that accepts or denies the sign-up request |
| Post confirmation Lambda trigger | Adds custom welcome messages or event logging for custom analytics | |
| Migrate user Lambda trigger | Migrates a user from an existing user directory to user pools | |
| Messages | Custom message Lambda trigger | Performs advanced customization and localization of messages |
| Token Creation | Pre token generation Lambda trigger | Adds or removes attributes in Id tokens |
| Email and SMS third-party providers | Custom sender Lambda triggers | Uses a third-party provider to |
- Cognito Identity Pool (CIP)
- Primarily for authorization (AuthZ) for AWS services (or an authorization server for AWS)
- Ideal if you don’t want to use IAM for authorizing user access to AWS (e.g. too many)
- Can take advantage of social login (e.g. Facebook, Google, etc)
- Use STS to obtain temporary credentials
- Two types of users. Each has their own IAM role assigned
- Authenticated
- Guest
- Use ‘policy variables’ for fine-grain control of the roles assigned to the user
- Authorization Flow:
- The client authenticates with any IDP (including CUP)
- IDP returns a token to the client
- The client passes the token to CIP
- CIP validates the token with the IDP. If valid returns an STS
- The client uses the STS to access the AWS resources