AWS Cognito unauthenticated users ids consistency - amazon-web-services

I'm new to AWS, and i'm using Cognito Identity Pools to allow unverified (unauthenticated) users access to my AWS resources. I want to create users table using DynamoDb and my question is:
Is unauthenticated users ids in Cognito are consistent among devices? Will the id be constant for each device or change due to any reasons?
Can I use Cognito uid to identify a specific user even if he deletes the app for example, and comes back after few months?
THANKS.

Related

AWS DynamoDB with Cognito user-scoped access?

I am using AWS Cognito for user management. I want users of my application to store their data in DynamoDB. So I need user-scoped access (User A can write data and only read data added by User A, User B being able to only read data added by User B).
Docs suggest the ability to have row-level and column-level fine grain access: (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html).
BUT I am not using IAM, I am using Congito users (want it scoped to each user, not a Role/Group). This doc suggests you can use Cognito ID: (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_items.html).
However, according to this StackOverflow question (How to use DynamoDB fine grained access control with Cognito User Pools?), it's not what I am expecting?
Does AWS support my use-case? Lot of docs but its not clear if my use-case is supported.
You need to use Cognito identity pool. Cognito identity pool acts as an identity broker. When a Cognito user authenticates using the user pool, then Cognito provides JWT tokens. User can use ID token provided by Cognito user pool and Cognito identity pool can take the token and provide temporary IAM credentials.
I am familiar with a similar use case as of yours. In that use case, user who has written data to S3 can only modify/delete that data. In this case, you can create new S3 folders (prefixes) for each user's Identity ID (provided by Cognito identity pool) and that particular user can access data under that S3 folder only.
I am not much familiar with DynamoDB access control, hence not able provide the exact solution now. You can try a similar approach as the above one.
https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-identity-pool.html

AWS Cognito UserPool vs IdentityPool: Is IdentityPool mandatory?

Is using an IdentityPool mandatory with AWS Cognito?
My use case:
My web app has users who can self-signup and will be added to the Cognito UserPool I have set up. I only want to provide access to my backend resources to authenticated users (ie., users belonging to an authenticatedRole IAM role). My requirement is simple enough that a single authenticated role suffices to handle my application's resource authorization requirements and I just want to deny access to all backend resources for non-authenticated users.
Is this possible with just the UserPool and if yes, how do I go about accomplishing this?
Note: I am using CDK to define my Infrastructure as code.
Using an identity pool is by no means mandatory with Cognito. It is completely on a use case basis. A few things to clarify here.
Userpool - For authentication
Identity Pool - For authorization.
Basically, if you want your end users to sign-up, sign-in, and then access AWS resources or make AWS API calls, then you would have to use an Identity pool. So let’s say you have a gaming application where the end user can sign in via FB, Google, or natively (username and password). This is authentication, and here we would be using a Cognito user pool. Now the user, is logged in and playing the game. They make a high score. This high score may need to be added to S3 or a DynamoDB table record for the user. For this, an identity pool is used. An identity pool will help you with vending temporary AWS credentials that the end user can use.
I believe in your use case the userpool should be sufficient. You can grant access to your resources by verifying the access token returned by Cognito for the end user.

Integrate Quicksight with Cognito for access via Google login

I have my enterprise Quicksight in place and with users using our company email to register an account (like john.doe#mycompany.com). We're using Gmail for business.
On the other hand we have developed another application backed by AWS Cognito user pool using Google as an identity provider, and since this is the same user base our intention was to use the same user pool for Quicksight access. In addition we will develop a Lambda that would synchronize Cognito user group association with Quicksight memberships if/when necessary.
I've followed the example described here https://aws.amazon.com/blogs/big-data/use-amazon-quicksight-federated-single-sign-on-with-amazon-cognito-user-pools/, but the problem is that even though I login as different users I get access to Quicksight via same IAM role. The Quicksight user associated with this role has a specific username starting with CognitoQuickSight1-AuthRole-KX4Y16... and email associated with the user I used to login the very first time.
Now I'm wondering if in this setup it's even possible to have different roles associated with different users so they can be differentiated on Quicksight side? Or is there any other way to achieve this?
I don't think you can assign QuickSight user specific permission on Federated users.
Some AWS services allows to use the user identity in the resource base IAM policy. For example S3 (to allow user to access only their 'directory' in a bucket) and DynamoBD (to allow user to only access item where their identity is the primary key).
According to https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html Quicksight does not support Resource based or Tag based policies.

Allow Cognito user to Write to S3

I have an embedded device that requires the ability to write to S3. I want to avoid giving the embedded device an actual AWS IAMUser. I am looking at using Cognito to gain write access to S3.
I have a user pool with a group and one user (for now). The group has an attached policy which permits access to write to a certain S3 bucket. The pool is setup so that only admins can create new users. I have managed to authenticate the cognito user and have got access to refresh tokens and the idTokens. I am looking to use these tokens to write to my s3 bucket.
I am trying to follow trying to follow the documentation but am getting confused. I think i need a federated identity pool but i have no requirement for a public provider. I just want my cognito user group to write to s3.
Is there a simple solution to allow a cognito user to write to S3 without federated identities or if not do i require a back end to serve a token for a federated identity?
I have been using warrant https://github.com/capless/warrant to authenticate as so:
from warrant.aws_srp import AWSSRP
import boto3
client = boto3.client('cognito-idp')
aws = AWSSRP(username='<username>', password='<password>', pool_id='<pool>',
client_id='<clientid>', client=client)
tokens = aws.authenticate_user()
Any tips would be greatly appreciated!
You do need a federated identity pool. In the identity provider section you choose Cognito and enter your pool ID and pool client ID. Then, you need to provide the identity pool with authenticated and unauthenticated roles. You can use these roles to provide that S3 write access.
This is the default behavior for the identity provider setup. If you want the Role to come from the group that your user is in, you will need to set the Choose role from token option in the identity provider section under where you provided your pool and client id.

Restrict IoT Topic By User Attribute

I am working on a proof of concept using Amazon Cognito and AWS IoT and I need some help. I have everything working, I just need to lock things down. My Cognito User Pool is the only authentication provider I have for my Identity Pool.
I would like to restrict the IoT topics that can be subscribed to based on a custom attribute for the user in my User Pool. Is that possible with the IAM roles? I already can restrict it by entering the topic filter in a role, I just need to know if there is a variable I can use there.
For my use-case the application can have several organizations using the application, with each being completely separated from each other but using the same code and infrastructure. I am hoping I can specify the organization id on the users and then require all topics to have the user's organization id at the start.
I think what I am looking for is way beyond what IAM roles can do, but I want to check first.
Custom attributes are not exposed as policy variables in IAM policies directly.
I think you can use the Group support in Cognito User Pools for this. You can assign users from different organizations to the group for that organization. The IAM role assigned to each of these groups can be the role with your locked down IoT policy.
Using the Federated Identities and User Pools integration you can get temporary AWS credentials for your users. Using the role based access control feature in Cognito Federated Identities will make sure that the credentials are assumed using the role assigned to the Cognito User Pools group to which user belongs.
Hope this helps.