Web identity Federation - seanremenyi/Notes_aws_developer GitHub Wiki

Simplifies authentication and authorization for web application

User accecss to AWS resources: Users access AWS resources after successfully authenticating with a web-based identity provider like Facebook, Amazon, or Google Authentication: Following successful authentication, users receive an authentication code from the web ID provider Authorization: Users can trade this authentication code for temporary AWS security credentials. authorizing access to AWS resources Amazon Cognito: Provides web ideneity federation including signup and signin funtiontiliy for your applications and access for guest users Identity broker: Manages autentication between you application and web id providers, so you don't need to write any additional code Multiple Devices: Synchronizes user data to multiple devices Recommended for mobile: Recommended for all mobile applications that cal AWS services AWS recommended best practice for web id federation for mobile applications With Amazon Cognito, you can add Multi-Factor Authentication (MFA) to a User Pool

The temporary credentials map to an iam role, allowing access to the required resource No need for the application to embed or store AWS credentials locally on the device

User Pools: User directories to manage the signup and sign in for mobile and web applications Signin: Users can sign in directly to the user poo or using Facebook, google or amazone Idenetiy Pools: Identiy pools enable you to provide temporary AWS credentials. Enabling access to AWS services like s3 or Dynamodb

sign in user pool brokers with facebook then returns a JWT whhich is used for the identity pool wihich gives an IAM role

Cognito push synchronization: synchronization across all devices Devices: Cognito tracks the assocation between user identity and the various different devices they sign-in from Seamless. Cognito uses push Synchronization to push updates and synchronize user data across multiple devices SNS silent notifications: SNS notification to all the devices associated with a given user identity whenever data stored in the cloud changes (for example updating his address on one device get synchronized across all device associated with account)

An authentication token (JWT token) is exchanged for temporary AWS credentials, allowing users to assume an IAM role, with permission to access AWS resources

User pool v idenety pools U.P: Userdirectory used to manage sign up and sign in functionality for mobie and web applications. I.P: identiy pools enable you to provide temporary AWS credentials. enabling accesss to AWS services like S3 or Dynamodb

IAM is used to define user access permissions within AWS: 3 types:

AWS Managed policies IAM policy created and adminitered by AWS Allows you to assign appropriate permissions to your users without having to write the policy yourself Attach to multiple users, groups or roles in the same AWS account or across different accounts You cannot change the permissions defined in an AWS managed Policy

Customer Managed policies

Created by you: A standalone policy that you create and administer inside your own AWS account. You can attach this policy to multiple users, groups and roles within your own account. Copy an existing policy: In order to create a customer managed policy, you can copy an existing AWS managed policy and customized it to fit the requirements of your organization. Your needs: Recommended for use cases where the existing AWS managed policies don't meet the needs of your environment Inline Policies 1:1 relationship. There is a strict 1:1 relationship between the entity and the policy Embedded: When you delete the user group, or role in which the inline policy is embedded, the policy will also be deleted Single User, Group or role: The policy must not be inadvertently assigned to any other group, user or role than the one for which it is intended. The policy must only ever be attached to a single user, group or role In most cases, AWS recommends using managed policied over inline policies sts AssumeRoleWithWebIdentity:

sts API: assume-role-with-web-identity is an API provided by STS (Security token service) Temporary Credentials: Returns temporary security credentials for users authenticated by a mobile or web application or using a web ID provider like Amazon, Facebook, Google, etc. Web Applications: Regular web application can use the assume-role-with-web-identity API. For mobile applications, Cognito is recommended AssumerRoleUser: Within AssumedRoleUser, the ARN and AssumeRoleID are used to programmatically reference to temporary crdentials, not an IAM role or user Cross account access: Delegate access to resources in different AWS accounts that you own. Manage resources in other accounts: Share resources in one account with users in a different account IAM role: Create a role in one account to allow access and grant permissions to users in a different account Switch roles within the AWS management console. No password required