rvlsoft - Fotolia

How Amazon Cognito fits into AWS security best practices

In this chapter excerpt from AWS: Security Best Practices on AWS, author Albert Anthony highlights how Amazon Cognito plays a role in application development on the AWS cloud.

Development teams shouldn't overlook the importance of a secure sign-on screen for the apps they build. It can often be tedious, however, to create the custom code for these UIs.

To simplify that process, developers can use Amazon Cognito, a managed service that offers a prebuilt sign-on interface with native AWS security features for monitoring and management.

Cognito creates a plug-and-play option for developers, according to Albert Anthony, founder of Loves Cloud, a cloud and DevOps consultancy, and author of AWS: Security Best Practices on AWS.

"If I am developing a cloud-native application on AWS, I would definitely go with Cognito instead of developing my own logic for single sign-on or user management," Anthony said.

Developers can also use Cognito to maintain application state, which can be a challenge when end users access applications from multiple devices.

In the excerpt below from his aforementioned book, Anthony goes into detail on the service and how developers can use it alongside other native AWS tools.

Amazon Cognito

Amazon Cognito is a managed service that allows you to quickly add users for your mobile and web applications by providing in-built sign-in screens and authentication functionality. It handles security, authorization, and synchronization for your user management process across devices for all your users. You can use Cognito for authenticating your users through external identity providers including social identity providers, such as Facebook, Google, Twitter, LinkedIn, and so on. Cognito can also be used to authenticate identities for any solution that is compatible with SAML 2.0 standard. You can provide temporary security credentials with limited privileges to these authenticated users to securely access your AWS resources. The following figure illustrates three basic functionalities of Amazon Cognito: user management, authentication, and synchronization:

Cognito overview
Amazon Cognito security overview

This service is primarily designed for developers to use in their web and mobile apps. It enables developers to allow users to securely access the app's resources. You begin by creating and configuring a user pool, a user directory for your apps, in Amazon Cognito either through AWS Management Console, AWS CLI, or through AWS SDK. Once you have created [a] user pool, you can download, install, and integrate AWS Mobile SDK with your app, whether on iOS or Android. You also have an option to call APIs directly for Cognito if you do not wish to use [the] SDK, as it exposes all control and data APIs as web services for you to consume them through your own client library.

Amazon Cognito integrates with CloudTrail and CloudWatch so you can monitor Cognito metrics and log API activities in real time and take the required action for any suspicious activity or security threat.

Packt Publishing is offering a special deal on AWS: Security Best Practices in AWS by Albert Anthony for SearchAWS readers. Follow this link, and use the code ORTTAA09 at checkout to purchase the e-book for $9. Offer valid until Nov. 30, 2018.

Dig Deeper on AWS infrastructure