I’m approaching AWS for the first time, and I’m trying to build an app using Amplify, API Gateway, Cognito, Lambda and Dynamo DB (I’m building some sort of a ToDo app).
I’ve learnt how to use lambda and dynamoDB without any authentication system and now I want to implement it.
I’ve already setup cognito, api gateway and lambda in order to access API with an IdToken, but what I’m not able to do is saving into dynamoDB the data of the user that called the API, as when I log the event inside CloudWatch I see that all the fields that refer to cognito are null (ex. “Context.identity” is null).
I need it so when an user want to see its data I’ll call the GET method which filters only that user’s data and retrieves it.
Anyone could please explain if this is the correct way to do it and what I’m missing, or if there’s an easier way to build this?
I have sensitive data attached to users that they need to access to (on AWS dynamoDB). However, to comply with requirements, I or other devs should not be able to decrypt it.
Is there a recommended way of handling this problem (for example using user password as a decrypting key or something) ?
I am not looking for data anonymisation or masking as users still need to access the data.
My infrastructure is on AWS using Cognito as authentication method, lambda functions, API gateway and DynamoDB.
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
So I am working on a web application in which I am performing signup by taking users data from web form and passing it on to a lambda function which stores it in a DynamoDB table. But now I also want to utilize the AWS Cognito authentication service. So the data I am storing in the DynamoDB also consists of the email address field.I want my application to perform the following flow of steps:
User Signups data including email address stored in DynamoDB via a lambda function.
Once data is stored in DynamoDB I want some sort of trigger which can take registered users email address from the DynamoDB and passes it AWS Cognito.
AWS Cognito creates a user account sends user a random password or a link where the user can set the password themselves.
The Signup and storing data onto DynamoDB is working for me but the part where synchronization needs to happen is confusing me. It would be highly appreciated if someone can guide me a bit here.
I already have a heavy user table in an existed website and server doesn't host in AWS.
I wanna use AWS Cognito for a mobile app of this site. So, need to check my server first when login/sign in.
But many blogs and examples look like only for serverless service.
I saw Accessing Server-side Resources after Sign-in. But this access server after getting token.
I saw Adding a User Pool Lambda Trigger. But not sure this can fit with my case.
I know I need to test these things first.
But just I wanna get some advice in here first.
So, Please give me advice.
Thanks.
you can do one thing, you can use cognito in application using aws-sdk which will do signin/singup
add trigger of cognito add save data to dynamo DB table or you can send data your database also.
another case if like you can add trigger, it will check for in both cognito and login your table to having user info and then allow the sign in.
OR
You can import your user data to cognito.