What we are going to look at more specifically now is how to manage end user access for a new solution that you design for AWS, whether it is for public access or internal use only.
User federation was introduced in Chapter 1, Determining an Authentication and Access Control Strategy for Complex Organizations. In Chapter 1, user federation was discussed from the perspective of an organization willing to manage access to their AWS environment leveraging either their corporate IdP, such as MS AD or a third-party IdP. You learned how such an organization could achieve single sign-on (SSO) using either AWS Single Sign-On (AWS SSO) or IAM depending on their specific use case.
For this scenario, assume that your solution has a web or a mobile frontend of some sort and requires authentication in place. For this case, there is one service of choice on AWS: Amazon Cognito. Briefly, Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. It provides end users with sign-in functionality either through a third-party IdP such as Facebook, Amazon, Google, or Apple or directly with a username and password. Amazon Cognito has two main components: user pools and identity pools.
User pools are actual user directories. You typically leverage user pools when you need to provide sign-up and sign-in functionalities to a mobile or web application, such as when you want to manage end user data or need a custom authentication flow for your application.
Identity pools allow you to federate identities with IdPs and provide end users access to AWS services. You typically use identity pools to give end users direct access to AWS resources, such as Amazon S3 objects, or to generate temporary AWS credentials for unauthenticated users.
Both components can be used independently of each other or together. For instance, identity pools could be used to federate identities leveraging user pools as an IdP and provide access to AWS resources to end users registered and authenticated with user pools.
Figure 5.1 presents an overview of Amazon Cognito in the following diagram:
Figure 5.1: Amazon Cognito concepts overview
Now that you are aware of the key concepts of managing identity and access in AWS, you can proceed to examine the many ways in which you can protect your infrastructure.