AWS Community Day Kochi 2019 - Technical Session Enterprise grade security for web and mobile applications on AWS by Robin Varghese , Chief Architect - TCS

1. Enterprise Grade Security for
Web & Mobile Apps on AWS
Using AWS Cognito
Event : AWS Community Day Kochi 2019
Date : 12 October, 2019
Speaker : Robin Varghese (Chief Architect, TCS)

2. Table Of Contents
1. What is AWS Cognito
2. Features Of AWS Cognito
3. Authentication Flow using Cognito User Pool
4. Federated Login Using Cognito User Pool
5. Fine Grained Access Management Using Cognito (1/4)
6. Fine Grained Access Management Using Cognito (2/4)
7. Fine Grained Access Management Using Cognito (3/4)
8. Fine Grained Access Management Using Cognito (4/4)
9. MFA Using Cognito user Pool
10. Adaptive Authentication Using Cognito user Pool (1/3)
11. Adaptive Authentication Using Cognito user Pool (2/3)
12. Adaptive Authentication Using Cognito user Pool (3/3)
13. Logging Amazon Cognito API Calls & Device Details Of
Cognito User
14. SRP Authentication & Custom Authentication Flow
15. Cognito is Compliance Ready - Encryption at Rest & In-
Transit
16. Standards-based Authentication
17. Easy Integration With Apps
18. Appendix
19. Logging Amazon Cognito API Calls with AWS CloudTrail
20. SRP Authentication

3. What is AWS Cognito
Amazon Cognito provides
• Authentication
• Authorization
• User management
for custom web and mobile apps.
Custom application users can sign in directly with a user name
and password, or through a third party such as
Facebook/Google/Amazon or through SAML and OIDC identity
providers.

4. Features Of AWS Cognito
Cognito User Pool
• User Directory to store user details
• Sign-up and sign-in services.
• A built-in, customizable web UI to sign in
users.
• Social sign-in with Facebook, Google, and
Login with Amazon, and through SAML and
OIDC identity providers from your user pool.
• User directory management and user
profiles.
• Security features such as multi-factor
authentication (MFA), checks for
compromised credentials, account takeover
protection, and phone and email verification.
• Customized workflows and user migration
through AWS Lambda triggers.
Cognito Identity Pool
• Obtain temporary AWS credentials to access
AWS services, such as Amazon S3 and
DynamoDB.
• Identity pools support anonymous guest
users
• Amazon Cognito identity pools support public
identity providers—Amazon, Facebook, and
Google
• Amazon Cognito user pools
• OpenID Connect (OIDC) providers
• SAML identity providers
• Developer authenticated identities

5. Here the goal is to authenticate users coming
for custom mobile/web app and then grant user
access to another AWS service. Before
authentication, users are registered and data is
saved in AWS Cognito user pool
• In the first step your app user signs in
through a user pool and receives user pool
tokens after a successful authentication.
• Next, your app exchanges the user pool
tokens for AWS credentials through an
identity pool.
• Finally, your app user can then use those
AWS credentials to access other AWS
services such as Amazon S3 or DynamoDB.
Authentication Flow using Cognito User Pool

6. Federated Login Using Cognito User Pool
• They are produced for the current
user, so nothing is embedded in
your app’s binary files or
configuration for a malicious user to
capture and reuse.
• They expire after a short period of
time so that, in the unlikely event a
malicious user was able to nab the
credentials, they won’t be usable
for long.
• They are also limited in privilege.
When you set up your identity pool
in Amazon Cognito, you can give
unauthenticated guests permissions
that are different from those given
to authenticated users.

7. Fine Grained Access Management Using Cognito (1/4)

8. Fine Grained Access Management Using Cognito (2/4)

9. Fine Grained Access Management Using Cognito (3/4)

10. Fine Grained Access Management Using Cognito (4/4)

11. MFA Using Cognito user Pool
Multi-factor authentication (MFA) increases security for your app by adding another authentication method,
and not relying solely on user name and password. You can choose to use SMS text messages, or time-based
one-time (TOTP) passwords as second factors in signing in your users.

12. Adaptive Authentication Using Cognito user Pool (1/3)
With adaptive authentication, we can configure user pool to
require second factor authentication in response to an
increased risk level. • Amazon Cognito
generates a risk score for
how likely the sign-in
request is to be from a
compromised source.
• This risk score is based on
many factors, including
whether it detects a new
device, user location, or IP
address.
• Amazon Cognito
publishes sign-in
attempts, their risk levels,
and failed challenges to
Amazon CloudWatch.

13. Adaptive Authentication Using Cognito user Pool (2/3)

14. Adaptive Authentication Using Cognito user Pool (3/3)

15. Logging Amazon Cognito API Calls & Device
Details Of Cognito User
• Cognito User Device used for
login is captured in Cognito
itself
• CloudTrail captures a subset
of API calls for Amazon
Cognito as events, including
calls from the Amazon
Cognito console and from
code calls to the Amazon
Cognito APIs.

16. SRP Authentication & Custom Auth Flow
• During Secure Remote Password protocol (SRP) authentication, one party
("client") demonstrates to another party ("server") that they know the
password, without sending the password itself nor any other information from
which the password can be derived. The password never leaves the client and is
unknown to the server.
• Furthermore, being an augmented PAKE protocol, the server does not store
password-equivalent data.
• You can customize your authentication flow with AWS Lambda triggers. These
triggers issue and verify their own challenges as part of the authentication flow.
• Currently, Amazon Cognito doesn't check for compromised credentials for sign-
in operations with Secure Remote Password (SRP) flow, which doesn't send the
password during sign-in.

17. Cognito is Compliance Ready - Encryption
at Rest & In-Transit
• Cognito uses AES 256 for encryption at rest, encrypts all personally identifiable
information (PII) at rest, which includes usernames, user profiles (user pool data),
and datasets (sync data). The encryption of data at rest is implemented using AES
256 and AWS uses SHA 256 for hashes.
• AWS Cognito endpoints only supports HTTPS protocol, and the traffic is encrypted
in-transit using Transport Layer Security (TLS, formerly called Secure Sockets Layer
[SSL]) with an industry-standard AES-256 cipher. Depends on the client which
connects to Cognito Endpoint, the correct version of TLS is used. By default, TLS1.2
is used.
• Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC
27017, ISO/IEC 27018, and ISO 9001 compliant.

18. Standards-based Authentication
• Amazon Cognito User Pools is a standards-based Identity
Provider and supports identity and access management
standards, such as Oauth 2.0, SAML 2.0, and OpenID
Connect.
• The flexibility of open standards allows for the identity
industry to be on the same page, reduce overhead, and
create a uniform way of expressing the fundamental keys
of identity. When everyone implements a standard way
of doing things, then the flow over different languages,
projects, and teams can go as planned with
authentication and authorization.

19. Easy Integration With Apps
• Leverage built-in UI for Cognito, download and customize the UI to
put company branding front and center for all user interactions.
• Easy configuration for federating identity providers, you can
integrate Amazon Cognito to add user sign-in, sign-up, and access
control to your app in minutes.
• AWS Amplify Authentication module provides full blown
Authentication APIs and building blocks for developers who want to
create user authentication around AWS Cognito (recommended)
• AWS Amplify supports JavaScript (React, React Native, Angular, Ionic
and Vue), iOS and Android libraries

20. Appendix

21. Logging Amazon Cognito API Calls with AWS
CloudTrail
• Amazon Cognito is integrated with AWS CloudTrail, a service that
provides a record of actions taken by a user, role, or an AWS service
• CloudTrail captures a subset of API calls for Amazon Cognito as events,
including calls from the Amazon Cognito console and from code calls to
the Amazon Cognito APIs.
• If you create a trail, you can enable continuous delivery of CloudTrail
events to an Amazon S3 bucket, including events for Amazon Cognito
• Using the information collected by CloudTrail, you can determine the
request that was made to Amazon Cognito, the IP address from which
the request was made, who made the request, when it was made, and
additional details.

22. SRP Authentication
• During Secure Remote Password protocol (SRP) authentication, one party
("client") demonstrates to another party ("server") that they know the
password, without sending the password itself nor any other information
from which the password can be derived. The password never leaves the
client and is unknown to the server.
• SRP is an augmented password-authenticated key agreement (PAKE) protocol
• Man in the middle cannot obtain enough information to be able to brute force
guess a password without further interactions with the parties for each guess.
• This means that strong security can be obtained using weak passwords.
• Furthermore, being an augmented PAKE protocol, the server does not store
password-equivalent data.
• This means that an attacker who steals the server data cannot masquerade as
the client unless they first perform a brute force search for the password

23. References
• Amplify - https://aws-amplify.github.io/docs/js/start
• Amplify Authentication - https://aws-amplify.github.io/docs/js/start
• Cognito Developer Guide - https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
• Cognito Complete Documentation - https://docs.aws.amazon.com/cognito/?id=docs_gateway
• Common Amazon Cognito Scenarios - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-
scenarios.html