Cognito pool per region vs Cognito pool per tenant - amazon-web-services

I am reading about multi-region architecture considerations.
Our reasons for moving to a multi-region architecture are pretty much the same as everyone else's:
Reducing latency for customers that are in different continents (EU, US, Asia, Africa)
Being in compliance with their data storage needs
Enable regional failover
We will be using Cognito pools and dynamo DB for data storage. Global Cognito pools do not seem to be a thing as Global DynamoDB tables. For a multi-tenant system SAAS system with tenants in different continents, Should the user pool be generated per region or per tenant? In this video here, https://www.youtube.com/watch?v=kmVUbngCyOw&feature=emb_logo&ab_channel=AmazonWebServices , it is recommended to have a pool per tenant. I fail to see many advantages for it though.
Is it instead a good idea to have a user pool per region instead?
The video also suggests having identity pools in addition to user pools. Why should that be the case in a multi-tenant system?
if I was to ensure data residency in the same region as the tenants in dynamodb as well, how should that be handled? and how should active-active architecture
We also need to host the application URLs like tenant1.companydomain.com for all of the tenants. what's the best way to go about it?

This question is too large, but anyway.
1. Reducing Latency
Unless you are calling Cognito APIs often Authentication is really the main concern here, but if you are using a long lived refresh token they shouldn't have to authenticate all the time so it wont be a massive problem. However a bigger problem is if you only use the one pool, you will have to consider that you sometimes need some Cognito Integration to be in the same region, such as a Cognito Authorizer on an API gateway. But you could write your own Lambda Authorizer to get around this.
2. Being in compliance with their data storage needs
This may force your hand in the User Pool decision, although you can always do the option of keeping your identity and your details in separate storage, making use of Lambda Triggers in the User Pool to sync data.
3. regional failover
I don't understand this in regards to your question about how many User Pools to use. If you use one in each region, then you will need to duplicate it in another region if you wanted to add your own failover capability. If you had only 1 User Pool you would have to duplicate only 1. I've never heard of anybody duplicating a User Pool to another region, this conflicts with what you wanted in 2.. If you've used integrations too, you cannot default to another User Pool you'd have to default to a whole new instance of the website, not just the User Pool. You'd have to also create your own Triggers which would do this for you.
Should the user pool be generated per region or per tenant?
This honestly is a large question in itself, we build a multi-tenant SAAS platform and I can honestly say User Pool per tenant would be a nightmare. 1 User Pool is easiest (as for example with the API GW Integration you cannot select multi user pools). You can use an app client per tenant and customize the signin for that tenant and give each tenant their own sub-domain.
4. Is it instead a good idea to have a user pool per region instead?
Other more meaningful questions are maybe? Do I want users to have the same identity in different regions? Do I want a user to be able to use more than on region? etc. Think about different websites that have this feature. For example Amazon you have a global identity and you can switch your store you are visiting, you need to specify requirements.
5. The video
Sorry not going to watch the video, but you can have an identity pool select permissions from the token (i.e. the group permissions for that user in Cognito). That covers 99% of use cases start from there.
6. if I was to ensure data residency...
Out of the box this is how the cloud is unless you specify a global resource everything is per region so you do nothing. You cannot have both data residency and regional failover at the same time.

Related

AWS Serverless: Best way to store permissions of users on different resources

Users have different permissions on different resources(They are called sites in our app) (which can grow over time). Also, there is a separate microservice that stores sites information in a separate dynamodb table. Permissions are calculated based on the groups a user is in. The backend will need to check for permissions always before an action is performed. I am looking to find the most efficient way to store permissions so that the permission check won't be redundant/taxing on the application.
So far our backend is all REST microservices. These are the options I have considered:
JWT Token: Do not wish to store permission on each resource in JWT token because the resource list will grow and it may hit the 8Kb header limit. That is risky.
DynamoDB: If we were to store permissions of each user in a DynamoDB table that is owned by the User microservice, that will mean a REST call to the endpoint from every other microservice which creates tight coupling between other microservices and user microservice and also adds an additional network trip.
DAX: Same issue as above
Elastic cache: Is it not managed so we will need to introduce a VPC in the application which I personally don't like.
API gateway caching: I guess it will do Authorization caching i.e requests with the same JWT token will be able to leverage the cache. Our JWT tokens are only cached for 5 minutes though so I am guessing it will hit the DB and calculate every 5 minutes. Also, this will again mean a REST call to the endpoint from every other microservice which creates tight coupling between other microservices and user microservice(that will have this endpoint) and also adds an additional network trip
Custom authorizer: Caches the policy for 5 minutes but we want the change in permissions to be real-time. Also, we have a strict policy that DynamoDB tables are owned by their respective microservices and that we do not read/write to DynamoDB from outside of the service. Since the authorizer is not going to be writing to the table, it will not be the owners and thus becomes dependent on a microservice that owns the table.also leads to cyclic dependency because all our microservices depend on the custom authorizer.
Am I missing something? What's the best way to handle this?

Where to store multiple access tokens on AWS?

I'm working on a Slack app which will have to store access token per each customer using the app (ex. 1000 teams using it = 1000 tokens). Token enables the app to access Slack API for customers workspace and will be used frequently every day.
App will be running on AWS, using Lambda's and DynamoDB.
What would be the best practice to store those access tokens securly?
I cannot find any strict recomendation for this scenario. Was thinking initially to put those in DynamoDB in a dedicated table but thinking now if I should use other AWS services for that use case. I've checked Secrets Manager but looks like a rather expensive option and not sure if it applies to my scenario.
Appreciate any suggestions.
I would probably use a dedicated DynamoDB table for this purpose. At a minimum, I would configure it to use a KMS CMK to encrypt the data at-rest, and also restrict access to the table through fairly granular IAM permissions in your AWS account. If you also wanted to encrypt each value separately you could look into client-side encryption.
Your findings on the Secrets Manager costs are a good point. You could also look at Systems Manager Parameter Store as an alternative that is generally cheaper than Secrets Manager. Secrets Manager does have the added security of being able to set an IAM resource policy on the secret itself.
Ultimately it's up to you to determine how secure your solution needs to be, and how much you are willing to pay for that. You could even spin up an AWS HSM to encrypt the values, but that would increase the cost by quite a bit.

What are the challenges with a user pool per tenant in a an AWS multi-tenant serverless application

I am considering creating a user pool per tenant based on the recommended multi-tenant architecture (for ex: https://aws.amazon.com/quickstart/saas/identity-with-cognito/)
The rest of the resources in the application are going to be using pooled resources (for ex: API gateway, dynamoDB tables). Considering the silo model just for the Cognito/auth part of the application.
Application requirements:
Subdomain per tenant i.e. tenant1.company.com an tenant2.company.com
A user can belong to multiple tenants(Forex: User A can be in tenant1 and tenant2)
Need to be able to list all users for a particular tenant
Data residency restrictions for personally identifiable information
I believe If I was to use the same Cognito user pool for all tenants, I could force users to use a different email for a new tenant i.e abc#tenant1.com for Tenant1 and abc+tenant2#tenant2.com for Tenant2.
But to list all users for a particular tenant, I imagine the same user pool for all tenants will not work as tenant_id will be a custom attribute.
I could also ensure data residency restrictions by creating a user pool per tenant. However, how do I handle regional failover in this case?
Also, Is subdomain per tenant supported with this approach?
I hear that the user pool per tenant is constant pain and should be avoided. What are some of the pain points?
For my use case, Does it look like that I should opt for an AuthZ provider instead like auth0 or authress?

Amazon STS vs Identity pool for granting access to AWS resource

I am trying to set up different user groups in the AWS user pool and grant them access to AWS resources based on the group they belong to I have two options.
Create two user groups in the user pool and associate respective roles to it. I can assume role using STS and get access to given AWS resources, something like this.
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Another option is two use Amazon Identity Pool for the same which internally uses STS.
what advantages I will get if I use the identity pool, given that sts is free and identify pool has a price associated with it.
I am confused about what should be the right approach to solve it?
Cognito is prices based on your monthly active users. Since you are going to be using user pool in both cases you will be charged the same regardless of what approach you take. But the first 50,000 monthly active users are free so you might get away with it on a smaller application.
Since pricing isn't a concern, you should just go with Identity pool since they have been made to work well with each other.

Store user credentials in 3 tier architecture

For our product we are currently storing customer credentials hashed in db (3 tier architecture) . We want the authentication to be done at 1st tier itself ,which aws solution can be used for this ,May be AWS HSM but what changes need to be done at app layer to do this .
This is a website
using cloudfront to route across across edge
using database replication
also we have active-active multi region .
any suggestions would be useful
thanks
I agree that some further details on your architecture would help. Is this a web application, mobile app, other fat client? How are you achieving the active-active multi-region architecture at the DB? I would like to suggest AWS Cognito but the multi-region needs become a bit more complex in that scenario.
Today how do you determine which region your users are routed to? If using AWS Cognito you'd likely need to create a user pool per region but this means your users would need to be routed to the correct user pool based on their region.
I have had great luck with AWS Cognito identities from web, mobile, and fat client apps and have even used many of the Lambda integrations with Cognito for commercial grade applications. Some good examples -
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html
http://docs.aws.amazon.com/cognito/latest/developerguide/walkthrough-using-the-ios-sdk.html
http://docs.aws.amazon.com/cognito/latest/developerguide/setting-up-android-sdk.html