I am currently prototyping an application that is backed by AWS IOT allowing users to control their devices.
My thoughts were to use AWS Cognito to authenticate users and limiting access to particular devices (topics) owned by that user via IAM roles.
I can see you can assign a role to a group of users, which would be great, but there is a very low cap on the number of groups allowed (25).
Am I missing a trick or is this a limitation of Cognito? If so, what would be the best way to handle this situation?
Thanks in advance.
Depending on your use-case for groups, an increase to the number of groups allowed can be given.
Related
In my application I want to users to be able to create an organization i.e. (OrgA) and then have users sign up under said organization using either an invite code or token. Users in OrgA should have access to an Amazon S3 directory (which stores images and files) and access to a database table that has been created for the said organization.
I could not find a solution on how to implement this online and was wondering if using Amazon Cognito groups was a good idea to meet requirements.
This is supported by the Amazon Cognito Service. That is, you can use Amazon Cognito to control permissions for different user groups in your app. This ensures that users have appropriate access to backend resources, determined by the group they belong to. For more information, see Building fine-grained authorization using Amazon Cognito User Pools groups.
Can we managing a pool of users in AWS Cognito by creating sub-groups and manipulating the sub-groups as if we were using a relational (groups)database?
Do you have tips for managing organisations with aws?
Thanks
As for tips on managing organisations with aws:
For Cognito (application user behaviour) you might be able to use groups for this feature. Note that groups are primarily designed for role-based access and not specifically for tenant separation. You probably should create separate groups for tenants, so you might be in the R_Engineering (role) and the V_ACME (tenant) group, optionally allowing rules based on the authentication provider for that tenant to assign the group. Some information on groups and fine-grained access control can be found here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/. Also, check out this post: https://medium.com/#dantasfiles/multi-tenant-aws-amplify-cc3252c4def4 mentioning ways to do grouping.
If you are looking to manage AWS resources access for organizations, this can be accomplished with AWS Organizations.
As for manipulating all users in a certain group I can only suggest you look into the API of Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html).
I am trying to set up different user groups in the AWS user pool and grant them access to AWS resources based on the group they belong to I have two options.
Create two user groups in the user pool and associate respective roles to it. I can assume role using STS and get access to given AWS resources, something like this.
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Another option is two use Amazon Identity Pool for the same which internally uses STS.
what advantages I will get if I use the identity pool, given that sts is free and identify pool has a price associated with it.
I am confused about what should be the right approach to solve it?
Cognito is prices based on your monthly active users. Since you are going to be using user pool in both cases you will be charged the same regardless of what approach you take. But the first 50,000 monthly active users are free so you might get away with it on a smaller application.
Since pricing isn't a concern, you should just go with Identity pool since they have been made to work well with each other.
Background: On Azure (we're in the process of moving from azure to aws), we have everything organized into resources groups. By default no one can do much in the prod subscription(account), but based on the team asking for a provisioned resource, a team member gets stamped as the "owner" of the resource group, which just gives him/her full access to that resource group, and can add/remove other members as they see fit. This allows us to set up a very fine-grained set of access controls where each team ultimately decides whats allowed and not - not based on groups but based on users getting access to resource groups (in which instances and other resources exist).
Now that we're moving to AWS I had hoped to use the SAML integration to provide access (we're running Auth0 in front of AzureAD, but this should be the same for any saml/federated aws setup I think).
My problem is that with SAML AWS doesn't really "see" each individual user - they're not auto-created in IAM at first logon or anything, so the only "security boundary" I have to work with are the groups I send into AWS, which I can assign to IAM roles.
This is a problem, because 1)the user has to select the desired role at login (if member of more than one), and 2)each role setup is a manual task which requires me to configre AzureAD, saml claims in auth0 and finally IAM roles in AWS. The latter is obviously something I can automate, but still.
Here's the core of my problem:
Say that I have 2 EC2 instances in AWS: DB and Web. I have 3 users, AdminPete, DBDave and WebWilson. I'd like to be able to give Pete full access to both instances, while Dave and Wilson gets access to "their own" ec2 instance. As far as I can see, I would have to configure two IAM roles (DB and Web), and require Pete (who has access to both) to choose his role at login. This is a super-simple example, but it doesn't really scale well at all.
I'm curious to hear how you guys are doing access control in aws - my goal is to be able to create a very fine-tuned setup using tags or some other mechanism. The official aws documentation only deals with getting saml configured (which is easy enough), but very little about real-life permissions management.
The core of the problem (imho) is that unlike "regular" iam users, I can't attach an iam policy or a group to a single user when that user is federated - I can only attach the policy to the federated role as a whole.
Any pointers appreciated! At this point I'm considering just not using saml at all for our aws stuff so that we can use fine-grained iam policies to manage permissions in a more flexible manner.
I am working on a proof of concept using Amazon Cognito and AWS IoT and I need some help. I have everything working, I just need to lock things down. My Cognito User Pool is the only authentication provider I have for my Identity Pool.
I would like to restrict the IoT topics that can be subscribed to based on a custom attribute for the user in my User Pool. Is that possible with the IAM roles? I already can restrict it by entering the topic filter in a role, I just need to know if there is a variable I can use there.
For my use-case the application can have several organizations using the application, with each being completely separated from each other but using the same code and infrastructure. I am hoping I can specify the organization id on the users and then require all topics to have the user's organization id at the start.
I think what I am looking for is way beyond what IAM roles can do, but I want to check first.
Custom attributes are not exposed as policy variables in IAM policies directly.
I think you can use the Group support in Cognito User Pools for this. You can assign users from different organizations to the group for that organization. The IAM role assigned to each of these groups can be the role with your locked down IoT policy.
Using the Federated Identities and User Pools integration you can get temporary AWS credentials for your users. Using the role based access control feature in Cognito Federated Identities will make sure that the credentials are assumed using the role assigned to the Cognito User Pools group to which user belongs.
Hope this helps.