So far, we have approached identity for AWS in the context of managing authentication and authorization to AWS resources within an AWS account. We've examined the primary service that governs that access, known as AWS IAM, and seen how user accounts are managed, how their credentials are administrated, and how authorization policies are applied. Most of these use cases focus on using AWS in the context of an Infrastructure as a Service platform.

Amazon Cognito is, above all, a service for applications, with documentation and examples targeted at application developers. In fact, many of the use cases attempt to solve certain use cases by offering reference implementations that further enmesh the application architecture into AWS. This is what we mean when we say that Amazon Cognito offers identity services for AWS in the context of Platform as a Service (PaaS) and that AWS IAM handles identity for AWS as Infrastructure as a Service (IaaS...

To get the most out of this chapter, you will need the following:

• An AWS account
• A workstation running the AWS CLI
• A text editor or IDE to edit JSON/YAML files, such as Microsoft Visual Studio Code

Amazon Cognito provides identity management, user authentication, and authorization for web applications. Amazon Cognito is a service that externalizes the components for application user identity management and authorization for application developers who do not wish to manage those items within the context of their own application. The Amazon Cognito service, within a given AWS account, can accommodate several distinct collections of user accounts, called pools. While Amazon Cognito is an identity service, it is distinct from AWS IAM in terms of its purpose and functionality. However, there are use cases and design patterns where Amazon Cognito and AWS IAM interact:

Figure 5.1 – The Amazon Cognito service from within the Management Console

Like nearly everything else in AWS, Amazon Cognito can be fully configured using both the Administrative Console and the AWS CLI. As shown in the preceding screenshot, Amazon Cognito offers...

There are several common deployment patterns and use cases that Amazon Cognito accommodates. While each of these patterns may involve different Amazon Cognito, AWS IAM, or other app and AWS service components, they all share the same underlying purpose: to facilitate application identity services on applications deployed on AWS. Let's examine a few of these use cases and patterns and see how the different Amazon Cognito components come into play for each one.

User authentication for application access

The simplest design pattern to accommodate when using Amazon Cognito is fully externalized user account management and authentication. In this pattern, the Cognito user pool acts as the IDP and user store for the application:

Figure 5.3 – Application authentication and user management with a user pool

Applications can take advantage of Amazon Cognito's hosted account management, sign-up, and verification process...

We will create an Amazon Cognito user pool using the Management Console. To do this, follow these steps:

1. Go to the Amazon Cognito service within the Management Console.
2. Click the Manage User Pools button.
3. This takes us to a listing of all the user pools that have currently been set up inside our AWS account. Since we have not configured any inside this account, it should be empty:

   Figure 5.9 – Our empty list of Cognito user pools

4. Click the Create a user pool button to start creating our first pool. We will immediately be prompted for a pool name and given options for either reviewing the default configuration recommended by AWS or stepping through the configuration one step at a time. Selecting the Review defaults option will simply skip us to the Review page, so let's select Step through settings and see what options are available to us. Since we are not overly creative, we will call our first pool rbipool and proceed...

Amazon Cognito offers a customizable hosted UI for user sign-in and sign-up. We can see the default UI by opening the link at the bottom of each app client, under the App client settings menu inside our user pool:

Figure 5.42 – The hosted UI is available from the App Client details form

This is the default sign-in form:

Figure 5.43 – Amazon Cognito user pool's default form

If we wish to offer a branded experience, we can go to the UI customization menu in our pool and adjust the colors, border padding, and other CSS elements to adjust the look and feel of this hosted service so that it aligns with our own website. Amazon Cognito offers the option to run several different versions of the hosted UI, with distinct branding applied to a specific application client ID:

Figure 5.44 – Customization options for the hosted UI

Let's add a simple, and admittedly ugly...

Since we now have a user pool that can provide federated identities, we can create an identity pool. Doing so will allow the federated identities from that user pool to access AWS resources. To do this from the Management Console, follow these steps:

1. Go to the Amazon Cognito service and select Manage Identity Pools.
2. Since we have no existing identity pools, we are taken directly to the wizard to configure our first one. Let's call this one rbiidentitypool:

   Figure 5.51 – Naming the new identity pool

3. An interesting capability of identity pools is that they allow unauthenticated users to obtain temporary credentials to access AWS resources. It may seem counterintuitive to permit this, but there may be use cases where access to a resource, such as placing a file into a bucket or adding an entry into an Amazon DynamoDB database, may be deemed so sufficiently low risk that identifying principals taking these actions may...

We covered a lot of new ground in this chapter! In this chapter, we took our first steps into a very large identity service that is nearly completely separate from the identity service that we spent that last few chapters getting to know. However, now that we understand the capabilities of Amazon Cognito, as well as how it can be used to solve application identity in a PaaS context, we are prepared to incorporate it into a holistic cloud identity strategy. We can use services such as Amazon Cognito to facilitate and simplify the challenges that application teams have with user life cycle management and authentication, especially if they intend to fully enmesh their application architecture into the AWS ecosystem.

The next chapter will bring us back into managing access to AWS as an IaaS platform. However, it will do so via another fully featured identity provider service available on AWS that is totally different from Amazon Cognito. There, we will become familiar with AWS...

1. What are the two main components of Amazon Cognito?
2. What kind of tokens are issued by a Cognito user pool when it is acting as an authorization server and IDP?
3. How are identity pools different from user pools?
4. What role does Amazon Cognito play in an identity ecosystem compared to AWS IAM?