Consider thousands of users each authenticated by Amazon Cognito.
Each of these users is to have it's own SQS queue. Is it possible to define an IAM role which restricts a user access to only it's own queue?
I'm thinking of somehow using Cognito credentials in combination with IAM variables to define a queuename based on a cognito user-id. Not sure where to start looking though.
To the best of my knowledge, you can't use Cognito to restrict access to a queue named after that identity. The IAM variable for the Cognito identity id is ${cognito-identity.amazonaws.com:sub}, and that will be of the format region:uuid. I believe that colon causes problems in the SQS arn format.
Related
Is there way to request a temporary token in STS to allow access to only a particular SQS Queue? I'm trying to find a way to restrict access to only ReceiveMessage and DeleteMessage to only a specific queue.
Im trying to link AWS Alexa with a backend application(SugarCRM 9.0) which handles OAuth2.0 but different grant-type (password and refresh) and AWS Alexa Requirements are authorization code grant type or implicit grant type.Is there a way to get around this?
I'm not sure if setting up a AWS manage active directory to integrate sugar's user with Alexa, because that will generate infrastructure to a solution that can probably be simplified.I used AWS SSO as an approach to link these service since AWS SSO enables you to makes it easy to centrally manage access to multiple business applications (but not between them)...
Probably not the answer you want.
You'll likely need to create a middleware service that has people do the Login with Amazon login, and a Sugar CRM login, so you can reference the unique customer ID Login with Amazon creates for them (which will be the same in your skill and middleware if you use the same app ID / security profile) with the access tokens you retrieve for them from SugarCRM.
I have a Ruby on rails application, i have integrated AWS Cognito to achieve SSO. It's all working.Earlier to that I was using devise for authentication and to achieve password_expirable and password_archivable.I searched through Amazon docs for ruby but could not find any way to achieve it.
I am looking for some example or guidance to achieve the same using AWS Cognito.
Thanks for the help
Currently there is no in built support for password expiry in Cognito. Something which can be considered for future releases.
For security reasons Cognito only stores SRP password verifier, so there is no way to check the history of saved passwords and match is against the new one. So this is unlikely to be implemented in future.
By nature of SSO, the users will likely be authenticating with their Facebook, Google+, Microsoft accounts. You don't want to force them to reset their password on these accounts do you?
Would Multi-Factor-Authentication (MFA) better suit your security requirements?
If so, you you can set up a User Pool with Amazon Cognito. With a User Pool, you can get programmatic access to the User Pool and enforce MFA. Then, via Amazon SNS or email, the users can be authenticated via phone or email.
To force users to reset their passwords, Cognito's pre-authentication trigger event can be used. Have a field in user pool, which checks password's age. If it exceeds the determined age, then have a Lamdba trigger generate an event to force the user to change the password by using AdminResetUserPassword API. Make sure to update password's age, whenever user updates his/her password, as part of other password change flows (Forgot Password flow) as well.
I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?
I am having a bit of a hard time understand how can an IAM role be used to limit access to a Amazon EC2 instances.
I am currently looking into Cognito, and I was wondering if it could help me. I want to restrict the access of my EC2 instances (with that I mean contacting the Django Server on there) to only a specific group of people, with dynamic ips. So IP restriction is not an option.
If a user gets authenticated with Cognito and gets temporary credentials, and therefore assumes a specific IAM Role, I want him to be able to talk to that EC2-Django server from within my iOS app. If a request to the server doesn't have the IAM, I want Amazon to automatically block it. Is that possible or I have to do that server side?