Cognito Flashcards
Is CUPs serverless?
Yes
What two services integrate with CUPS?
API gateway and ALB
In cognito, which cognito type can trigger lambda functions?
CUP’s can trigger lambda functions during the authentication flow.
Can you integrate CUPs and CIPs? Why would you?
Yes you can. You can use CUP’s as your identity provider for CIPs as you would with a social media or OIDC or SAML provider. If you have an application that you’ve built using CUP’s and you want to give access an AWS resource such as an S3 bucket you would use CUPS for authentication, and then CIPs would verify this authentication and generate the correct IAM role out of STS to allow access.
What is the difference between CUPs and Cognito Identity Pools?
User pools are for AUTHENTICATION (identify verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP).
Identity pools are for AUTHORIZATION (access control). You can use identity pools to create unique identities for users and give them access to other AWS SERVICES by creating temporary AWS credentials.
What can you NOT customize in the Cognito hosted UI?
- Underlying JS
- CSS
- URL
- Logo?
You can’t customize the JS.
You would like to provide a Facebook login before your users call your API hosted by API Gateway. You need seamlessly authentication integration, which cognito service will you use?
CUPS
Which cognito type uses STS and what role does STS play - i.e. describe the sequence of events for the authentication/authorisation process
- CUP’s
- CIP’s
- CognitoSynch/AppSynch
CIPS uses STS. The sequence of events is:
- A user authenticates via a provider (CUPS, Google, FB)
- The provider returns a token
- The token is submitted to CIPS which verifies agains the provider
- CIPS calls STS which generates temporary credentials based on an IAM role or policy
- These credentials are then used to access the AWS resource.
Assume I have a CIPS implementation that allows for unauthenticated and authenticated users. Would STS use one or more policies or roles to support this?
You would have at least 2 policies or roles, one specifiying the resources an authenticated user would authorised for and one specifying the resources an un-authenticated user would be authorised for.
You need to synchronize data offline between your mobile devices. Which cognito service should you use?
CognitoSynch (app synch)
Assume I am authenticating into my application using CUPS. My authentication has been successful, and a JWT token has been generated. How would I use this token to access an S3 bucket?
You can’t. To access an AWS resource, the token needs to be exchanged for temporary credentials via CIPS and STS. CIPs will take the token and validate it against CUPS and then pass it to STS which will generate temporary AWS credentials based on an IAM policy or role.
We have an IAM policy for authenticated users set up for CIPs. In the policy document we see a reference to an S3 bucket:
{
"Action":["s3:ListBucket"],
"Effect":"Allow",
"Resource":["arn:aws:s3:::mybucket"]
"Condition":{"StringLike":{"s3:prefix":["${cognito-identity.amazonaws.com:sub}/*"]}}
}
What is this and what does this
mean?
This represents the use of a POLICY VARIABLE used to partition a users access. In this case, the policy variable specifies that the user can only list the objects within ‘mybucket’ which are prefixed by their specific user id
Why would we use Cognito over IAM?
IAM us for users that we trust within our AWS environment. Cognito is intended to provide user sign on and sign up functionality for users of our application
CUPs can integrate with 3 classes of federated identity providers, what are they?
Social Providers (google, fb, apple)
Open ID Connect (OIDC) providers
SAML providers
I need to be able to provide access to an S3 bucket to un-authenticated users - would I use CUP’s or CIP’s for this? What additional services would be used?
You would need to use CIPs as this allows the generation of IAM roles to allow access to AWS resources to un-authenticated users via STS
