I have an on premp AD linked to AWS SSO using AD Connector.
AD Users have MFA enabled in AWS SSO.
There is a requirement of an application to retrieve short term token using user ID. Example Active Directory User ID 'A' has access to shutdown a EC2 instance. User ID 'A' logins in to the custom application, custom application retrieves the short term token and uses this token to shutdown the EC2 instance.
This application is build specifically for business users who are not comfortable using AWS Console, hence a very basic minimal easy to use UI.
I have read through a lot of AWS documentation and all the implementation I have checked online is for AWS SSO with SAML Federated with Azure AD etc but not with on premp AD.
How can STS be used with on premp AD SSO implementation?
This is confirmed. SSO with AD connector doesnt have STS implemented.
Related
I am trying to reduce the number of login a user needs to gain access to multiple application. I have aws ad set that provides me authentication to vpn and mail client. No i need a website that I can use ad creds to allow users to upload,dowload and list files in an s3 bucket. it seems like i can do this with cognito maybe but the aws ad doesn't seem to support SAML/ADFS that allows you to link cognito to aws ad. Is there something I am missing
I have an application (node.js) that need an Authentication and authorization.
My app need access to postgres database and also need a Inheritances (roles etc.)
One option to implement that is using the cognito service of aws (the app will host on aws properly - not sure about that)
so the questions is
Is cognito service support the authorization for node.js with database that is not services on aws? (I read that "identity pool" is for aws services like mariaDB)
If my app will be on heroku (not on aws), I will also be able to use with cognito services (for authorization)?
Is cognito support roles/users inheritances ?
Tnx
Cognito identity pool is used for granting access to aws services. User pool is used to exchange user credentials for tokens which can contain additional information about the user once decoded. So yes, you can use user pool just for authentication. Your user attributes can contain information related to the services this user needs to access.
However, if you plan on storing database credentials, I suggest you use AWS secrets manager to store your DB credentials and grant the cognito user access to this secret. You'll need to use both user pool and identity pool in this case.
Not directly, but you can use it to access secrets manager where you db credentials are stored.
Yes you can use cognito anywhere. It will be connecting to AWS to grant you tokens however. And these tokens are only recognized on AWS. Which is why you need to use them to access other secrets that can be used to access whatever other services you want.
Cognito supports groups. I'm not sure if that's what you mean by inheritences. You can have token based roles with groups.
Goal: Allow Firebase Auth users to access Amazon Connect without having to enter another username and password
What I've tried:
Amazon Connect's Identity Management can be done via 3 ways:
Store Users with Amazon Connect
Link to an Existing Directory
SAML 2.0-based authentication
1) Doesn't support SSO
2) I tried to create a Directory in AWS Directory Service, but given the options (AWS Managed Microsoft AD, Simple AD, AD Connector), none of them seem to be compatible with Firebase. I'm not sure if there is a way to sync Firebase Auth users into one of the above listed ADs.
3) SAML seemed promising, however, it appears that Firebase can use a SAML Provider, but cannot act as a SAML provider.
Is there any solution that will allow me to have Firebase Auth users SSO into an Amazon Connect instance?
If there is no direct solution, is there even an indirect solution where, for example, Cognito is my primary auth, which provides Connect access, and then I use Cognito as the SAML provider for my Firebase Auth
I'm developing a mobile app that must access some AWS resources, so it needs authentication to AWS endpoint. The app doesn't manage users (sign-in, sign-out, register and so on).
My first solution was to create a IAM user dedicated to the mobile app and embed its credentials in the mobile app code. The app authenticate itself to AWS using the embedded credentials. It works, however AWS suggests to avoid embedding credentials directly in the app.
I think a better solution is Cognito. Because I don't need users management, I should use unauthenticated (guest) identity to request temporary AWS credentials.
However I don't understand why a guest Cognito identity is more secure than an embedded credentials. The mobile app receive a temporary AWS credentials by sending a Cognito Identity Pool ID, that is a long-term "number" embedded in the mobile app. If someone is able to find this Identity Pool ID, she can receive AWS credentials and access AWS resources as my official mobile app. It seems there's no difference between embedded AWS long-term credentials and huest Cognito access.
Why Cognito solution is better than embedded AWS credentials?
If you are creating unauthenticated access using identity pool, you are allowing public to access your AWS resources. Make sure you write your policy carefully and it won't matter if you use a single IAM user or cognito unauthenticated access as far as security is concerned.
Using federated identity will provide you benefits like getting statistics on usage and adding triggers to events. Also keep in mind that creating a single IAM user and then allowing multiple people to use these credentials is a "hack" way of doing what cognito federated unauthenticated idenity was designed to do. You might run into unexpected complications later if AWS decides to throttle this behavior of IAM.
I have a client that has an on-prem AD Server... I am developing an application running through API Gateway that will use a custom authorizer to authorize the endpoints. The on-prem AD server will be used to authenticate internal users, thinking about deploying an AD server in AWS for external users and using some sort of "link" between the two to connect them.
I want to query AD to authenticate the users and then get their IAM roles to allow access the API. Is this a good implementation?
If you are able to run AD FS and expose it to Cognito, I would suggest looking into using Cognito Federated Identity and setting the Method to require AWS_IAM authorization. Here is a link to the docs for AD FS:
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Alternatively, if you can't run AD FS and are running AWS Directory Service for Microsoft Active Directory for some other purpose, you could create a trust relationship to your on-prem AD through a direct connect / VPN. You could then create a service which took the AD credentials and authenticated the user via LDAP (lambda function configured to used with a VPC). Finally a custom authorizer could be created that validated the token for subsequent calls and return an appropriate IAM policy.