Can we customize AWS IAM Authentication page with our own logo.
AWS COGNITO AND API GATEWAY
Edit 29 Jan, 2023
In simple words, I need to customize Default login page of AWS for IAM users. I attached the pic above.. Is that possible? I tried API gateway and AWS Cognito for this. But, I can't catch that.
This is the default AWS Authentication Page we want to customize:
Thank you for your edit. It appears that you want to customize the AWS Management Console login page, not the AWS Cognito login page.
If so, the answer is no, you can't customize the AWS Management Console sign-in webpage by removing or obscuring the AWS logo. This is the account a customer uses to interact with AWS services. Changing a logo in your AWS Management Console could give the false impression that another company is providing AWS cloud services. Review AWS legal documents that are applicable to your case (customers located in different parts of the world may be subject to different regulations). It is common for cloud service providers to include a standard clause in their terms and conditions that specifically prohibits removal of the AWS trademark:
You will not remove, modify, or obscure any copyright, patent, trademark or other proprietary or attribution notices on or in any software.
You can check available customization options to your AWS Management Console here.
You can configure settings like the default Region you want to load after sign in, your preferred language, and how favorite services display in the favorites bar.
Yes you can
Sign in to the Amazon Cognito console. If prompted, enter your AWS credentials.
In the navigation pane, choose Manage User Pools, and choose the user pool you want to edit.
Choose the UI customization tab.
full docs
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html
Related
Is there a way to grant admin access to a third party in AWS without manually creating IAM role etc, purely via OAuth flow or similar?
Context: making an app that simplifies AWS account management, and want to make the UX to "connect to my account" as simple as possible. Failed to find anything like that in AWS docs. Want the app to be able to provision and manage resources, run terraform etc.
Check this out: Identity Providers and Federation. You will still have to create pre-defined IAM roles to define what permission users will assume
Yes it's doable. You do need to create IAM roles, if you want to give your users access to everything just create an admin role with permissions of ':' on all resources.
Then you should set up some type of SAML server, active directory federation services comes with everything out of the box. You can look for some open source SAML servers.
Then you have to setup SAML federation between your user account and your SAML backend.
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
I volunteer at a small local school that teaches data science and I'm trying to understand the procedure behind federated logins, but the Amazon documentation isn't helping and their forums don't seem interested.
We'd like for the students to be able to sign in to our AWS environment using either Facebook, Google, or Amazon.com, instead of manually trying to create a user for everyone who signs up.
The main thing that's unclear is how the students should sign in. Do we need to create a custom webpage using the provided javascript or .net code? We would have to contact our web developer if so. Or do we use the provided domain name? (in this case, https://weclouddata.auth.us-east-1.amazoncognito.com) This comes from the Cognito user pools though, and doesn't seem like it would apply. Besides, when I use it in conjunction with the Google client ID, I get an "invalid request" error.
You can create a custom app "Identity Broker" to create a URL that lets users sign in with Facebook/Google credentials and securely access the AWS Management Console. The broker would perform the following steps:
Verify that the user is authenticated by identity system(Facebook or Google) or use AWS Congnito.
Call the AWS Security Token Service (AWS STS) API operations to obtain temporary security credentials for the user.
Construct a URL for the console that includes the token and redirects the user to the URL on the user's behalf.
Amazon Cognito lets you to easily create customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon. So you don't have worry about authentication and concentrate building your actual logic(above steps)
Here is a sample app from AWS that shows how to implement a single sign-on solution with C# and windows AD.
Python Code:
Here is the python code on how to construct the console login URL. I have used the sample python code from AWS and 'Hello world' flask app. When you hit the URL it should redirect to the console login, you can set permission using IAM role.
You can provide any login mechanism (Facebook, Google, Amazon etc) to create student account first time.
Ask user to create account using any app login (Facebook, Google, Amazon etc)
On successful login, create user in AWS using https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html API.
Add newly created user in the group https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html
You can create the user group with some specified roles and give permission (Launch EC2 Instances, Access to DynamoDB etc) accordingly.
I'm doing some analysis for a customer regarding multiple end-user applications they run. Right now, both have a separate user databases and now want to provide an SSO experience.
They threw out a bunch of SSO providers, specifically the new AWS SSO service. From reading what AWS SSO, my question is, AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
Is my understanding of the purpose of AWS SSO correct? Like, I'm sure AWS SSO could work with end-user clients, but is that the applicable use case here? Is there a better SSO provide in this case to deal with SSO for end users?
Definitely, is not a good choice for end-users.
This is the entry splash at AWS Console.
Before you can start managing SSO access to your AWS accounts, you must go to the AWS Organizations console and create an organization with All features enabled. For more information, see AWS SSO Prerequisites
Look at this splash from AWS Console
AWS Organizations console and create an organization
That phrase explains what target was created for. So you're right:
AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.
I recommend you to use AWS Cognito as Single-sign-on
Using Cognito you will have a few challenges:
The problem would be passing token(with an expiry value) from site A to B securely. There is no built in SSO facility provided by Cognito. You would have to manage the encrytion, storage & transfer of tokens yourself. Reference: How to use AWS Cognito as Single-sign-on?
Take a look at this post:
Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools
Hope this gives you a little more information to accomplish your scenario.
Is it possible to use the IAM API as a user registration service for my application.
I.e. if i present the user to create an account and password. Can they then log in with the IAM and use my application.
Or is it more for developers who are tinkering around with the actual AWS platform?
Thanks,
Ben
That's not what AWS Identity and Access Management is made for. I guess you don't want your users to have access to your infrastructure … If you want an user registration you should implement it inside your application.