Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS for user management

AWS seem to have a pile of services now so I have been looking more closely at it.

I am looking for a centralized service where I can host user data and have them authenticate and secure different web applications, iphone apps both using custom logins and social logins such as Twitter/Google/Facebook.

An example flow would be that I have multiple websites coded in PHP and want users to login to these sites. But only users who have access. This user data, logins, access rights etc. needs to be hosted somewhere centralized and as much headache free as possible.

Instead of building my own platform for this that will support all the authentication and user management it would be nice to have this taken care of.

Does AWS have a service for this?

The IAM service seem to only deal with AWS access.

Notice I am not only talking about mobile apps but also websites.

I see there is a new service called Cognito, is this what I am looking for specifically in this use case?

like image 604
John Avatar asked Mar 27 '15 05:03

John


People also ask

Which AWS service is used for user management?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

How do I manage users on AWS?

Manage IAM users and their access—You can create users in IAM, assign them individual security credentials (such as access keys, passwords, and multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources.

What is an IAM user AWS?

An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. An IAM user with administrator permissions is not the same thing as the AWS account root user.


2 Answers

Two particular services would be of interest to you:

  • AWS Security Token Service Web Identity Federation can be used to authenticate users against Facebook, Google or Amazon. This authentication can then be used to grant access to AWS services (eg storing data in Amazon S3 or Amazon DynamoDB).
  • Amazon Cognito goes further by creating unique identities for users, storing profile information and synchronizing information across multiple mobile devices.

Cognito can also be used from a website.

From Use Amazon Cognito in your website for simple AWS authentication:

By using Amazon Cognito in your web applications as well as mobile apps, you can utilize a consistent, cross-platform identifier for your end users authenticated through Facebook, Google, or Amazon; together with the Cognito Sync service, this allows you to keep user-related data consistent across all your applications and platforms. Further, Cognito helps you to retrieve temporary, limited-privilege credentials for both your authenticated and unauthenticated users without managing any backend infrastructure.

like image 198
John Rotenstein Avatar answered Nov 02 '22 02:11

John Rotenstein


Cognito does support social logins (facebook, google, and amazon) and custom logins (developer authenticated identities). Given the login of a user, it can get credentials to access different AWS resources (an s3 bucket, dynamo table...etc.). You can set up appropriate role permissions for these users using IAM. A series of blog posts was written to go into more detail about Cognito authentication: part 1 (basic auth flow), part 2 (developer authenticated identities), and part 3 (roles and policies). For more details on developer authenticated identities, this blog post goes into more detail and has an end to end sample app linked.

Additionally, if you're talking about using multiple applications, Cognito has a sync service. If someone were to use the same social login in multiple applications (all of which you have set up with the same identity pool), they'd be able to synchronize data across these applications. A blog post with more detail and some examples is available here

like image 2
Jeff Bailey Avatar answered Nov 02 '22 01:11

Jeff Bailey