09. Authorisation & Certificate

AWS Certificate Manager (ACM)

  • manage SSL/TLS certificates, for in-flight encryption of websites (HTTPS)
  • automatically renewal
  • Elastic Load Balancers(Application Load Balancer & Network Load Balancer), CloudFront Distributions, API Gateway Calls
  • Public and Private

AWS Private Certificate Authority (CA)

  • including root and subordinaries certificates (X.509), trusted by only private Organisation

Amazon Cognito

  • authentication for users with identity for mobile and web application
  • Benefit over IAM: “hundreds of users”, “mobile users” and “authenticate with SAML”
  • Cognito User Pools (CUP)
    • Authentication, Identity Verification
    • Provide sign-in functionality for user
      • A serverless database of “User”
      • Simple Login (User name/email + Password)
      • Password Recovery
      • Email/Phone verification
      • Multi-Factor authentication (MFA)
      • Federated identities with 3rd parties, Google/FB/SAML/OpenID, etc.
      • JWT(JSON Web Token) for login send backs
    • Integrated with API Gateway & Application Load Balancer
    • Lambda Triggers
      • Authentication Events (Sign-In)
      • Sign-Up
      • Messages
      • Token Creation
    • Hosted Authentication UI & Custom Domain
      • ACM certificate in “us-east-1”
      • must defined in the “App Integration” section
    • Adaptive
      • using risk score for each attempt; finally block or requires (second) MFA for suspicious logins
      • Integrated with CloudWatch Logs
    • JSON Web Token
      • Base64 encoded
      • Header, Payload(contains “sub”-UUID, email, phone, user name, etc.), and Signature
    • Authenicate Users on Application Load Balancer
      • Offload the authentication from applications to load balancer
      • Identity Provider (IdP): OpenID Connect compliant
      • AWS Cognito User Pools
      • Set up HTTPS listeners with “authenticate-oidc” or “authenticate-cognito” rules
      • OnUnauthenticatedRequest – authenticate(default), deny, allow
  • Cognito Identity Pools (CIP)
    • Authorisation, Access Control
    • Federated Identities
    • Temporary AWS credentials to AWS resources directly (or via API Gateway)
      • IAM policies via Security Token Service (STS), at least one “trust” policy
      • can be customised based on the user_id
    • Identity pool/sources
      • Public 3rd Parties (Google, Facebook, Apple, etc.)
      • OpenID Connect & SAML
      • AWS Cognito User Pools
      • Developer Authenticated Identities (custom Login server)
      • unauthenicate (guess) access
    • can partition users with IAM policy “variables”

IAM

  • The permissions boundary for an IAM entity (user or role) sets the max permissions that the entity can have

AWS Accounts

  • To apply security restrictions across multiple AWS accounts, use Service Control Policy (SCP). For just a single account, use IAM policies.
  • You can migrate an account to another AWS organization, e.g.  if you divest a business unit