AWS Cognito: Multi-user group management

AWS Cognito

To avoid spamming from internet bots, Web applications usually allow an authenticated username and password for signing in to any application. Captcha is enabled in the modern authentication flow to ensure user authentication.

This is what is not expected in AWS.

Thanks to AWS Cognito, for its abilities and features.

AWS or AWS Cognito is an Amazon Web Service product that controls user authentication, authorization and user repository with different operations on web and mobile applications.

This service saves and synchronises end-user data, and allows an application developer to focus on writing code instead of building and managing back-end infrastructure.

In this blog, we will discuss AWS Cognito and multi-user management.

So Let’s start with

What is AWS Cognito?

To access control via authentication and authorization two things need to be confirmed:

1-Identity of the person trying to access a web or mobile application.

2-Are they allowed for that.

These aspects are essential for ensuring the security of networks and protected resources for organisations. This is where AWS Cognito helps you.

This enables users to sign in directly by logging in to AWS Cognito using their credentials for web and mobile applications.  Users can even sign in through a third party social networking application like Facebook, Amazon, Google, and other Identity providers.

The AWS Cognito service collects user profile attributes into directories called user pools that are used by mobile and web applications to configure restricted access to AWS resources. The identity pool collects end-user data that is used by access platforms, devices, and operating systems to form federated identity groups.

The data synchronises with AWS when a device is online, which allows the end-user to access the same information on another device. An SQLite database can even be downloaded and saved locally while offline before being reconnected. Data sets are associated with identities by Cognito, and encrypted information is stored as key/value pairs in the Sync store by AWS Cognito.

Critical components of AWS Cognito:

The two Key components in AWS Cognito are (i) User Pool

                                                                                   (ii) Identity Pool

A user pool is a repository where user profile details are kept. This user pool is updated when new users register on the web or mobile applications. Hence, data in the user pool would be matched against users’ credentials when they sign in.

The identity pool simplifies access to other AWS Web Services resources when users are authenticated. To access other AWS resources without reentering credentials, the identity pool issues temporary AWS credentials to users. AWS Cognito allows the use of user pools and identity pools independently. The two can also be combined.

Authentication and authorization are two key functions of any user and identity management system. An authentication process verifies a user’s claim to be who they claim to be. Whereas the Authorization process is used to verify users’ access rights to other AWS services and resources.

By using AWS identity pools, authenticated users have easy access to other AWS resources. To access other AWS resources without reentering credentials, the identity pool issues temporary AWS credentials to users using individual user pools and identity pools independently are possible with AWS Cognito. They can be used at a time as well.

In a corporate intranet, users log in with a user id and password. After validation of the users’ IDs and passwords, they can enter the network. This function is known as authentication performed by the user pool. To access some internal services or resources, they do not need to enter their login credentials again. Depending on the policies and rules configured, they will be authorised to use the service. Typically, this authorization is enabled by some service that allows the user’s login credentials or provides temporary access tokens for accessing other servers or resources. The identity pool is responsible for performing this authorization function.

Multi-Factor Authentication:

Passwords don’t provide the strongest security. They can be easy to guess, and quite easy to forget. It is, however, very effective to combine passwords with another form of identification. That’s what multifactor authentication is.

Multi-Factor Authentication or MFA is a security system that requires more than one method of verification to validate a user’s identity for logins. For authentication schemes that require more than one identity credential, security experts and vendors often use the term multifactor over two factors, and that creates a layer of defence that makes it more difficult for an unauthorised person to access a location, device, network or database. If one factor is compromised, the attackers still have at least one more barrier to breach before successfully breaking into the target. Multiple factors of authentication are required when using MFA.

There are five primary categories:

Knowledge factors: these are like a password or security question.

Possession factors: these are like a key security token or an authorised smartphone app.

Inherence factors: these are fingerprint scans or retina scans, facial recognition and voice recognition.

Location factors: these are usually determined with smartphones and GPS.

Time factors: these are logical barriers, for instance, verifying an employee’s id access against their work schedule prevents account hacking, and attacks from outsiders during off-hours.

As a consumer, you might even have seen this at a petrol station: you swipe your card to pay (a possession factor) and then you enter your building zip code ( a knowledge factor ) before the transaction goes through. With the proliferation of SaaS-based services and the number of reused passwords, MFA methods are more important and they appeal to every business.

How AWS Cognito authentication works:

Authentication works in a 4-step process when identity pools and user pools are used together:

Step-1: A user logs in through a user pool.

Step-2: They receive a user pool token, once successfully authenticated.

Step-3: AWS credentials are exchanged for tokens through an identity pool.

Step-4: With these authenticated AWS credentials, users can access other AWS services.

AWS Cognito Security and data protection:

Cognito aligns its security with that of AWS as part of its “shared security” model. The cloud is secured by AWS, while security in the cloud is the responsibility of the organization.AWS Cognito adds a second layer of security by supporting MFA and encrypting data at rest and during transit in compliance with industry standards. Furthermore, it complies with numerous data protection standards and regulations, including:



ISO/IEC 27001/27017/27018

Even AWS Cognito supports several identity and access management capabilities, including:

Identity-based policies

Policy actions

Temporary credentials

service-linked roles

Service roles

Synchronising user data with AWS Cognito:

AWS Cognito Sync synchronises user profile data across mobile and web applications. Using this feature, users can generate an ID and credentials that are normalised to AWS Cognito. With high-level client libraries supporting Android and iOS devices, the service caches data locally on both devices. It makes data available even if a device is offline. The user’s data is stored in a data set. Credentials associated with a particular identity are required to access this data. To maintain user identity, a Cognito Sync user identity pool must be created.

Therefore, an organisation needs to first set up an identity pool to use AWS Cognito Sync.

Multi-Users Management:

In this approach, we create a user pool for each user. This architecture provides maximum isolation for each user. It allows us to implement different user pool-based configurations for each user such as password policy. Additionally, the development of this approach is costly and the operation requires a lot of effort. We need to add logic to our application to allow users to sign up and sign in to their corresponding user’s pool

There are different approaches for building multi-user management with AWS Cognito.

1-AWS Cognito User Pool for Every User:

In this approach, we create a user pool for each user. This architecture provides maximum isolation for each user. It allows us to implement different user pool-based configurations for each user such as password policy. Moreover, the development of this approach is costly, and its implementation requires a lot of work.

2-AWS Cognito Groups for Every User:

With group-based multi-users, you can associate an AWS Cognito user pool group with users. You can handle multi-users logic with Lambda Authorizer in your application and back-end services. You can give AWS Cognito Group control of the Lambda Authorizer function.

3-AWS Cognito Custom Attribute for Every User:

With a custom attribute-based multi-user approach, you can generate and add an ID for every user’s profile as a custom attribute. You can use custom attributes when you want to add additional user data to AWS Cognito User Pool. The registration/login process can be enhanced by adding custom attributes using lambda triggers. Through this ID and Lambda Authorizer, you can implement all multi-user logic in your application and back-end service. Using this approach, all users will have an easy time signing up and logging in.

I hope, now you have got an overview of AWS Cognito and its major components such as the user pool and identity pool. As well as now u must have an idea about multi-user management.