101. Web Identity Federation – Cognito

Question 1:
You are building a mobile application. The security requirement for this application is that each user access it with MFA authentication.
Choose a method that meets this requirement.
Options:
A. Set up IAM policies for customer accounts to enable MFA authentication
B. Implement MFA functionality by integrating API Gateway, Lambda functions and SNS
C. Implement mobile authentication using AWS Cognito
D. Implement MFA authentication function by CloudHSM
Answer: C
Explanation
Option 3 is the correct answer. You can use Amazon Cognito to implement the authentication function of your application. With Amazon Cognito, you can add multi-factor authentication and encryption of stored and transferred data to your mobile application. You can also implement sign-in capabilities using social identity providers such as Google, Facebook, and Amazon, and enterprise identity providers such as Microsoft Active Directory with SAML.
Option 1 is incorrect. IAM policy is a service for user management within AWS and cannot be used as a customer management function of the application.
Option 2 is incorrect. You can’t implement MFA using API Gateway or Lambda functions.
Option 4 is incorrect. CloudHSM is a cloud-based hardware security module (HSM). This makes it easy to generate and use encryption keys in the AWS cloud. It has nothing to do with MFA verification.

Question 2:
You have been hired as a Solutions Architect to advise a company on the various authentication/authorization mechanisms that AWS offers to authorize an API call within the API Gateway. The company would prefer a solution that offers built-in user management.
Which of the following solutions would you suggest as the best fit for the given use-case?
Options:
A• Use Amazon Cognito User Pools
B• Use Amazon Cognito Identity Pools
C• Use AWS_IAM authorization
D• Use API Gateway Lambda authorizer
Answer: A
Explanation
Correct option:
Use Amazon Cognito User Pools – A user pool is a user directory in Amazon Cognito. You can leverage Amazon Cognito User Pools to either provide built-in user management or integrate with external identity providers, such as Facebook, Twitter, Google+, and Amazon. Whether your users sign-in directly or through a third party, all members of the user pool have a directory profile that you can access through a Software Development Kit (SDK).
User pools provide: 1. Sign-up and sign-in services. 2. A built-in, customizable web UI to sign in users. 3. Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, as well as sign-in with SAML identity providers from your user pool. 4. User directory management and user profiles. 5. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. 6. Customized workflows and user migration through AWS Lambda triggers.
After creating an Amazon Cognito user pool, in API Gateway, you must then create a COGNITO_USER_POOLS authorizer that uses the user pool.
Incorrect options:
Use AWS_IAM authorization – For consumers who currently are located within your AWS environment or have the means to retrieve AWS Identity and Access Management (IAM) temporary credentials to access your environment, you can use AWS_IAM authorization and add least-privileged permissions to the respective IAM role to securely invoke your API. API Gateway API Keys is not a security mechanism and should not be used for authorization unless it’s a public API. It should be used primarily to track a consumer’s usage across your API.
Use API Gateway Lambda authorizer – If you have an existing Identity Provider (IdP), you can use an API Gateway Lambda authorizer to invoke a Lambda function to authenticate/validate a given user against your IdP. You can use a Lambda authorizer for custom validation logic based on identity metadata.
A Lambda authorizer can send additional information derived from a bearer token or request context values to your backend service. For example, the authorizer can return a map containing user IDs, user names, and scope. By using Lambda authorizers, your backend does not need to map authorization tokens to user-centric data, allowing you to limit the exposure of such information to just the authorization function.
When using Lambda authorizers, AWS strictly advises against passing credentials or any sort of sensitive data via query string parameters or headers, so this is not as secure as using Cognito User Pools.
In addition, both these options do not offer built-in user management.
Use Amazon Cognito Identity Pools – The two main components of Amazon Cognito are user pools and identity pools. Identity pools provide AWS credentials to grant your users access to other AWS services. To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials. So, identity pools aren’t an authentication mechanism in themselves and hence aren’t a choice for this use case.

Question 3:
A social media application is hosted on an EC2 server fleet running behind an Application Load Balancer. The application traffic is fronted by a CloudFront distribution. The engineering team wants to decouple the user authentication process for the application, so that the application servers can just focus on the business logic.
As a Solutions Architect, which of the following solutions would you recommend to the development team so that it requires minimal development effort?
Options:
A• Use Cognito Authentication via Cognito Identity Pools for your CloudFront distribution
B• Use Cognito Authentication via Cognito User Pools for your CloudFront distribution
C• Use Cognito Authentication via Cognito Identity Pools for your Application Load Balancer
D• Use Cognito Authentication via Cognito User Pools for your Application Load Balancer
Answer: D
Explanation
Correct option:
Use Cognito Authentication via Cognito User Pools for your Application Load Balancer
Application Load Balancer can be used to securely authenticate users for accessing your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic. You can use Cognito User Pools to authenticate users through well-known social IdPs, such as Amazon, Facebook, or Google, through the user pools supported by Amazon Cognito or through corporate identities, using SAML, LDAP, or Microsoft AD, through the user pools supported by Amazon Cognito. You configure user authentication by creating an authenticate action for one or more listener rules.
Incorrect options:
Use Cognito Authentication via Cognito Identity Pools for your Application Load Balancer – There is no such thing as using Cognito Authentication via Cognito Identity Pools for managing user authentication for the application. Application-specific user authentication can be provided via Cognito User Pools. Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token.
Use Cognito Authentication via Cognito User Pools for your CloudFront distribution – You cannot directly integrate Cognito User Pools with CloudFront distribution as you have to create a separate Lambda@Edge function to accomplish the authentication via Cognito User Pools. This involves additional development effort, so this option is not the best fit for the given use-case.
Use Cognito Authentication via Cognito Identity Pools for your CloudFront distribution – You cannot use Cognito Identity Pools for managing user authentication, so this option is not correct.