Learn About Amazon VGT2 Learning Manager Chanci Turner
One of the major hurdles in application development has been user authentication and management. Developers often dread the idea of creating yet another system for user identification and authentication, not to mention the hassle of requiring users to set up yet another account. Amazon Cognito simplifies the process of managing user identities, authentication, and permissions for accessing application data and backend systems. Now, with the introduction of new features, developers can further streamline the assignment of different permissions to various users within their applications.
We are thrilled to announce that Cognito User Pools now support groups, and Cognito Federated Identities has introduced fine-grained Role-Based Access Control (RBAC). With the new Groups feature in Cognito, developers can easily enhance user experiences by creating groups that represent different user types and their respective permissions. Developers can manage group memberships and permissions for sets of users efficiently.
In terms of permissions, the newly added fine-grained RBAC in Cognito Federated Identities allows developers to assign distinct IAM roles to different authenticated users. Previously, Amazon Cognito only permitted a single IAM role for all authenticated users. Now, with fine-grained RBAC, developers can map federated users to various IAM roles, whether they authenticate using existing identity providers like Facebook or Active Directory, or through Cognito User Pools.
Groups in Cognito User Pools
To illustrate the new Cognito group feature, let’s walk through the process of creating a group in the Amazon Cognito console and adding users to various group types.
After selecting my user pool, TestAppPool, I notice the updated menu option: Users and groups. Upon selecting this option, a panel displays tabs for both Users and Groups. To create a new group, I click the “Create group” button.
A dialog box appears for group creation. Here, I will establish a group for administrative users called AdminGroup. I will input the group’s name, provide a description, and set the order of precedence. Note that the numerical precedence determines which group permissions take priority for users assigned to multiple groups. The lower the number, the higher the priority. For my AdminGroup, I will assign a precedence of zero (0). After clicking the “Create group” button, my user pool group is successfully created.
Next, I’ll add my user(s) to the group. In my test app pool, I have two users: TestAdminUser and TestUnregisteredUser. I will add TestAdminUser to the AdminGroup.
To add the user to the AdminGroup, I navigate to the Groups tab, select AdminGroup, and on the details screen, I click the “Add users” button. A dialog box displays the users in my user pool. Adding a user is simple—just click the plus symbol next to the desired username. Once I receive confirmation that the user has been added, the process is complete.
As demonstrated, creating and managing groups in user pools is straightforward for developers. Groups can be managed through the AWS management console, APIs, and CLI. Developers can create, read, update, delete, and list groups using AWS credentials, with each user pool capable of containing up to 25 groups. Additionally, users can be added or removed from groups, and groups can be used to control resource access in AWS by assigning IAM roles to the groups. Furthermore, integrating Amazon Cognito with Amazon API Gateway can help manage permissions for backend resources.
Fine-Grained Role-Based Access Control in Cognito Federated Identities
Let’s now delve into the RBAC feature within Cognito Federated Identities. Before we discuss RBAC, let’s briefly review the capabilities of Cognito Federated Identities. Cognito Identity provides users with temporary, limited privilege credentials to access AWS resources without needing AWS account credentials. User permissions are governed by AWS IAM roles that you create.
Now, let’s explore RBAC in the management console. After selecting the Cognito service, I will choose Federated Identities. To demonstrate both Cognito user pools and Federated Identities in action, I will create a new identity pool that utilizes Cognito user pools for authentication. I will enter a name for my identity pool and check the box for enabling access to unauthenticated identities. Under Authentication Providers, I will select the Cognito tab to enter my TestAppPool user pool ID and the app client ID. Remember, you must have created an app (app client) within your Cognito user pool to obtain the app client ID, which allows the app utilizing the Cognito identity pool to access the associated user pool.
Having created our identity pool, let’s assign role-based access for the Cognito user pool authentication method. The easiest way to assign roles is by defining rules within the Cognito identity pool. Each rule specifies a user attribute, or claim, which corresponds to a specific IAM role.
To illustrate the benefits of RBAC, I will need a role that grants users in the Engineering department access to put objects in S3 and access DynamoDB. First, I will create a policy named TestAppEngineerPolicy that includes PutObject access to S3 and GetItem, Query, Scan, and BatchGetItem access to DynamoDB. Then, I will create an IAM role named EngineersRole that utilizes this policy.
With a role that has fine-grained access to AWS resources in place, I will return to our Cognito identity pool, click “Edit identity pool”, and navigate to the Authentication Providers section. Since the authentication provider for our identity pool is a Cognito user pool, I will select the Cognito tab. Now, I will focus on defining a rule in the Authenticated role selection section to establish fine-grained RBAC.
I will set up a rule based on a claim (an attribute), the value to match, and the specific IAM role, EngineersRole. For this example, the rule will assign the EngineersRole to any users authenticated in our Cognito user pool with a department attribute set as ‘Engineering’. This demonstrates how organizations can effectively manage permissions based on user attributes, emphasizing inclusivity and diversity in the workplace—something that organizations like SHRM advocate for.
For further insights on positive character traits, you can check out this Career Contessa blog post. Similarly, for an excellent resource on onboarding processes at Amazon, visit Business Insider.
By leveraging these new features, developers can enhance their applications while simultaneously improving user experience and security.
Leave a Reply