Mastering Authentication & Authorization in AWS: Developer's Study Guide

This guide covers the essential security patterns for the AWS Certified Developer Associate exam (DVA-C02), focusing on how to securely verify identities (Authentication) and manage permissions (Authorization) for applications and AWS services.

Learning Objectives

After studying this guide, you should be able to:

Differentiate between Authentication (AuthN) and Authorization (AuthZ).
Implement Amazon Cognito User Pools for user management and Identity Pools for AWS resource access.
Configure Web Identity Federation and SAML 2.0 for external identity providers.
Apply the Principle of Least Privilege (POLP) using IAM policies and roles.
Secure application API calls using Bearer Tokens and temporary credentials via AWS STS.

Key Terms & Glossary

IAM Principal: An entity (User, Role, or Application) that can make a request for an action or operation on an AWS resource.
Bearer Token: A security token (like a JWT) that grants access to the "bearer" without requiring further proof of identity.
OIDC (OpenID Connect): An identity layer on top of OAuth 2.0 used for web identity federation (e.g., Login with Google).
SAML 2.0: An XML-based standard for exchanging authentication and authorization data, typically used for enterprise Single Sign-On (SSO).
IdP (Identity Provider): A service that manages identity information (e.g., Amazon Cognito, Active Directory).

The "Big Idea"

Modern application security moves the burden of identity management out of the application code and into managed services. By using Amazon Cognito and IAM, developers avoid the high risk of storing passwords locally. Instead, they rely on a "token-exchange" pattern: users prove who they are to an Identity Provider, receive a temporary token, and exchange that token for specific, time-limited permissions to AWS resources.

Formula / Concept Box

Feature	Authentication (AuthN)	Authorization (AuthZ)
Question Asked	"Who are you?"	"What are you allowed to do?"
AWS Service	Amazon Cognito User Pools, IAM Users	IAM Policies, Cognito Identity Pools
Output	Identity Token (ID Token)	Access Token / Temporary Credentials

[!IMPORTANT] The Gold Standard (POLP): Always grant only the minimum permissions required to perform a task. If a Lambda only needs to read from S3, do not give it s3:* or AdministratorAccess.

Hierarchical Outline

AWS Identity and Access Management (IAM)
- Users & Groups: Physical persons or logical collections.
- Roles: Used by services (Lambda/EC2) or federated users to assume temporary permissions.
- Policies: JSON documents defining Effect, Action, Resource, and Condition.
Amazon Cognito
- User Pools: A user directory for sign-up and sign-in (handles JWTs).
- Identity Pools: Provides temporary AWS credentials to users (even unauthenticated ones).
Identity Federation
- Web Identity Federation: Using OIDC (Amazon, Google, Facebook).
- Enterprise Federation: Using SAML 2.0 (Active Directory).
AWS Security Token Service (STS)
- AssumeRole: Returns temporary security credentials.
- GetSessionToken: For MFA or temporary sessions.

Visual Anchors

Authentication vs. Authorization Flow

Loading Diagram...

The Cognito Architecture

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

Principal: The user or service requesting an action.
- Example: A Lambda function trying to write a log to CloudWatch.
Web Identity Federation: Allowing users to use social identities to access AWS.
- Example: A mobile game allowing users to sign in with their Facebook account to save progress to DynamoDB.
Cross-Account Access: Allowing a principal in Account A to access resources in Account B.
- Example: A centralized logging account that collects S3 logs from multiple production accounts via Role Assumption.

Worked Examples

Scenario: Securing a Serverless API

You are building a Todo List application using API Gateway and Lambda. You need to ensure only logged-in users can see their own tasks.

Step-by-Step Implementation:

Create a Cognito User Pool: Configure sign-up attributes (email, password).
Configure API Gateway Authorizer: Connect the API Gateway to the Cognito User Pool. The client must include the ID Token in the Authorization header.
Extract Identity in Lambda: Use the $context.authorizer.claims.sub variable in your Lambda function to identify the specific user ID and query only their records in DynamoDB.
Apply POLP: The Lambda execution role should have a policy allowing dynamodb:Query only on the specific Todo table.

Comparison Tables

Feature	Cognito User Pool (CUP)	Cognito Identity Pool (IDP)
Primary Purpose	Authentication (Store Users)	Authorization (Access AWS)
Result of Success	JSON Web Tokens (JWT)	Temporary AWS Credentials
Social Login	Handled natively	Handled via Token exchange
Use Case	Create a "Sign-In" page	Grant access to an S3 Bucket

Checkpoint Questions

What is the main difference between an IAM User and an IAM Role?
Which Cognito component would you use if you want to allow a user to upload a file directly to an S3 bucket?
Why is it considered a security risk to embed IAM Access Keys directly in a mobile application? What should you use instead?
What service is responsible for providing temporary credentials when a user assumes a role?

▶Click to see Answers

IAM User has long-term credentials; IAM Role is assumed for temporary credentials and doesn't have a password.
Cognito Identity Pool (to get AWS credentials for S3).
Hardcoded keys can be extracted by de-compiling the app. Use Amazon Cognito and web identity federation instead.
AWS STS (Security Token Service).