Mastering Identity Federation: Amazon Cognito and IAM
Use an identity provider to implement federated access (for example, Amazon Cognito, IAM)
Mastering Identity Federation: Amazon Cognito and IAM
This study guide covers the implementation of federated access, a core component of the AWS Certified Developer - Associate (DVA-C02) exam. Federated access allows users to access AWS resources or applications using identities from external providers, reducing the risk of managing local credentials.
Learning Objectives
After studying this guide, you should be able to:
- Explain the concept of Identity Federation and its security benefits.
- Distinguish between Amazon Cognito User Pools and Identity Pools.
- Describe the workflow for Web Identity Federation.
- Identify the role of IAM and STS in granting temporary access.
- Understand the protocols used for federation (OIDC and SAML 2.0).
Key Terms & Glossary
- IdP (Identity Provider): A trusted third-party service (e.g., Google, Amazon, Facebook) that authenticates users.
- OIDC (OpenID Connect): An identity layer on top of the OAuth 2.0 protocol, commonly used for web and mobile federation.
- SAML 2.0 (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data between parties, typically used for enterprise federation (e.g., Microsoft Active Directory).
- Token: A digitally signed piece of data that proves a user's identity or authorization.
- STS (Security Token Service): An AWS service that grants temporary, limited-privilege credentials to users.
The "Big Idea"
[!IMPORTANT] The Delegation of Trust: Rather than building a custom database to store and secure user passwords—which is risky and high-maintenance—Federation allows you to delegate the "Who are you?" check to experts like Google or Amazon. This follows the Principle of Least Privilege (POLP) by issuing short-lived, role-based credentials rather than permanent keys.
Formula / Concept Box
| Feature | Amazon Cognito User Pools | Amazon Cognito Identity Pools (Federated Identities) |
|---|---|---|
| Primary Purpose | User Directory (Sign-up/Sign-in) | Authorizing access to AWS Resources |
| Output | JSON Web Tokens (JWT) | Temporary AWS Credentials (STS) |
| Typical Use Case | Managing a "Todo List" app's user profiles | Granting an app access to an S3 bucket or DynamoDB |
| Provider Support | Social IdPs, SAML, OIDC | User Pools, Social IdPs, SAML, OIDC |
Hierarchical Outline
- Identity Federation Fundamentals
- External Authentication: Users sign in via trusted providers.
- Temporary Credentials: Use of AWS STS to avoid hardcoded secrets.
- Amazon Cognito Architecture
- User Pools: The "Who are you?" component (Authentication).
- Identity Pools: The "What can you do?" component (Authorization).
- The Federation Workflow
- Step 1: User authenticates with IdP and receives a token.
- Step 2: Token is exchanged for AWS credentials via Cognito/IAM.
- Step 3: AWS credentials used to call services like S3 or Lambda.
Visual Anchors
Web Identity Federation Flow
Relationship Architecture
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=3cm, minimum height=1cm, align=center}] \node (User) {End User App}; \node (Auth) [right of=User, xshift=3cm] {User Pool$Authentication)}; \node (Cred) [below of=Auth] {Identity Pool$Authorization)}; \node (IAM) [right of=Cred, xshift=3cm] {IAM Role$Permissions)};
\draw[->, thick] (User) -- node[above] {1. Login} (Auth);
\draw[->, thick] (Auth) -- node[left] {2. JWT} (Cred);
\draw[->, thick] (Cred) -- node[above] {3. Assume} (IAM);
\draw[->, dashed] (IAM) -- node[below] {4. Temp Keys} (User);\end{tikzpicture}
Definition-Example Pairs
- Federated Access: Using a single identity to access multiple systems.
- Example: Using your "Login with Google" button to access a new fitness tracking app without creating a new password.
- Web Identity Federation: Specifically for web/mobile apps using OIDC/OAuth2 providers.
- Example: A mobile app allowing users to upload photos to S3 by logging in with their Amazon retail account.
- Cross-Account Access: Using federation to bridge access between different AWS accounts.
- Example: An enterprise using one central AWS account for identity (via IAM Identity Center) to manage access to 50 different project accounts.
Worked Examples
Scenario: Securing the "Todo List" App
Problem: You are building a Todo List app. You want users to sign in with Facebook and allow them to save their lists directly to an Amazon DynamoDB table.
Step-by-Step Solution:
- Register with Facebook: Create a Facebook Developer account and obtain an App ID.
- Configure Cognito User Pool: Set up a User Pool in AWS to manage the "TodoPlus" directory and link the Facebook App ID as an external provider.
- Configure Cognito Identity Pool: Create an Identity Pool and link it to the User Pool.
- Define IAM Role: Create an IAM role with a policy allowing
dynamodb:PutItemon the Todo table. Set the trust policy of this role to allow the Identity Pool to assume it. - App Logic: The app receives a token from Facebook, sends it to Cognito, receives temporary AWS credentials, and uses those credentials to call the DynamoDB API.
Checkpoint Questions
- Which Cognito component is responsible for providing a sign-up and sign-in web UI?
- Answer: Amazon Cognito User Pools.
- True or False: Storing AWS Access Keys inside a mobile app's code is a recommended best practice for federation.
- Answer: False. You should use temporary credentials provided by Cognito/STS via federation.
- What protocol is typically used when federating a corporate Microsoft Active Directory into AWS?
- Answer: SAML 2.0 (Security Assertion Markup Language).
- How does a developer implement the Principle of Least Privilege when using federation?
- Answer: By mapping the federated user to an IAM Role that has a scoped-down policy granting only the specific permissions needed for the task.