Can we managing a pool of users in AWS Cognito by creating sub-groups and manipulating the sub-groups as if we were using a relational (groups)database?
Do you have tips for managing organisations with aws?
Thanks
As for tips on managing organisations with aws:
For Cognito (application user behaviour) you might be able to use groups for this feature. Note that groups are primarily designed for role-based access and not specifically for tenant separation. You probably should create separate groups for tenants, so you might be in the R_Engineering (role) and the V_ACME (tenant) group, optionally allowing rules based on the authentication provider for that tenant to assign the group. Some information on groups and fine-grained access control can be found here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/. Also, check out this post: https://medium.com/#dantasfiles/multi-tenant-aws-amplify-cc3252c4def4 mentioning ways to do grouping.
If you are looking to manage AWS resources access for organizations, this can be accomplished with AWS Organizations.
As for manipulating all users in a certain group I can only suggest you look into the API of Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html).
Related
We are working with a service provider where I constantly need to add a new user in GCP IAM and assign the similar roles which I have assigned to 20 other members.
I was wondering if there is a way that I can create a group, assign some roles to this group and keep adding new users to the group so I don't have to focus on the roles etc.
Posting this Community Wiki for better visibility. Proper documentation link for managing groups was already provided by #Ferregina Pelona
You can create a group for users with the same permissions in GCP. Google also recommends using this approach.
In the documentation Best Practice - Delegate responsibility with groups and service accounts you can find exemple usage of Google Groups.
We recommend collecting users with the same responsibilities into groups and assigning IAM roles to the groups rather than to individual users. For example, you can create a "data scientist" group and assign appropriate roles to enable interaction with BigQuery and Cloud Storage. When a new data scientist joins your team, you can simply add them to the group and they will inherit the defined permissions. You can create and manage groups through the Admin Console.
Regarding creation, removing and managing google groups, you should read the Managing groups in the Cloud Console guide.
In my application I want to users to be able to create an organization i.e. (OrgA) and then have users sign up under said organization using either an invite code or token. Users in OrgA should have access to an Amazon S3 directory (which stores images and files) and access to a database table that has been created for the said organization.
I could not find a solution on how to implement this online and was wondering if using Amazon Cognito groups was a good idea to meet requirements.
This is supported by the Amazon Cognito Service. That is, you can use Amazon Cognito to control permissions for different user groups in your app. This ensures that users have appropriate access to backend resources, determined by the group they belong to. For more information, see Building fine-grained authorization using Amazon Cognito User Pools groups.
I am new to AWS...
We have a home grown user authentication and authorization.
We define authorizations(roles) in company terms, role1 allows you to do tasks1 and tasks2. Role2 allows one to perform tasks3 only.
I can see how I can use Cognito for my user/password management.
Unclear if I use cognito for roles verification, i.e authorization.
Thoughts?
In a Cognito User Pool one can define both Users and Groups, which can be leveraged to drive fine-grained RBAC permissioning. You can define a custom attribute in the User model (e.g., "department" or "role") and map this attribute to Groups.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
Each group can optionally be associated with an IAM role, so it's possible to restrict access to AWS resources (e.g., certain DynamoDB tables) by group -- as an additional layer of security.
However, if you don't need/want to map users to different IAM roles, maybe just handle authentication completely from within your application.
I am currently prototyping an application that is backed by AWS IOT allowing users to control their devices.
My thoughts were to use AWS Cognito to authenticate users and limiting access to particular devices (topics) owned by that user via IAM roles.
I can see you can assign a role to a group of users, which would be great, but there is a very low cap on the number of groups allowed (25).
Am I missing a trick or is this a limitation of Cognito? If so, what would be the best way to handle this situation?
Thanks in advance.
Depending on your use-case for groups, an increase to the number of groups allowed can be given.
Background: On Azure (we're in the process of moving from azure to aws), we have everything organized into resources groups. By default no one can do much in the prod subscription(account), but based on the team asking for a provisioned resource, a team member gets stamped as the "owner" of the resource group, which just gives him/her full access to that resource group, and can add/remove other members as they see fit. This allows us to set up a very fine-grained set of access controls where each team ultimately decides whats allowed and not - not based on groups but based on users getting access to resource groups (in which instances and other resources exist).
Now that we're moving to AWS I had hoped to use the SAML integration to provide access (we're running Auth0 in front of AzureAD, but this should be the same for any saml/federated aws setup I think).
My problem is that with SAML AWS doesn't really "see" each individual user - they're not auto-created in IAM at first logon or anything, so the only "security boundary" I have to work with are the groups I send into AWS, which I can assign to IAM roles.
This is a problem, because 1)the user has to select the desired role at login (if member of more than one), and 2)each role setup is a manual task which requires me to configre AzureAD, saml claims in auth0 and finally IAM roles in AWS. The latter is obviously something I can automate, but still.
Here's the core of my problem:
Say that I have 2 EC2 instances in AWS: DB and Web. I have 3 users, AdminPete, DBDave and WebWilson. I'd like to be able to give Pete full access to both instances, while Dave and Wilson gets access to "their own" ec2 instance. As far as I can see, I would have to configure two IAM roles (DB and Web), and require Pete (who has access to both) to choose his role at login. This is a super-simple example, but it doesn't really scale well at all.
I'm curious to hear how you guys are doing access control in aws - my goal is to be able to create a very fine-tuned setup using tags or some other mechanism. The official aws documentation only deals with getting saml configured (which is easy enough), but very little about real-life permissions management.
The core of the problem (imho) is that unlike "regular" iam users, I can't attach an iam policy or a group to a single user when that user is federated - I can only attach the policy to the federated role as a whole.
Any pointers appreciated! At this point I'm considering just not using saml at all for our aws stuff so that we can use fine-grained iam policies to manage permissions in a more flexible manner.