Why does Amazon Cognito have it's own region? And does the region for Amazon Cognito need to be the same as the region I have set in AWS Console?
Like other AWS services, Cognito is available as a service in multiple regions. To access the service, you have to supply which region of it you want to access. Data for users in each region is only available for that region - if I were to create an identity inside an identity pool configured in us-east-1, I wouldn't be able to access it if I supplied region eu-west-1.
Specifically, for Cognito identity, it tracks each identity id vended and any public provider information possibly used by that identity to know if anything it is given is a valid identifier of the user.
For Cognito sync, it manages the sync data/metadata for each identity.
Yes, the region in which you configure your Cognito identity pool in the console needs to be the same as the one you give the client.
If you're using Cognito identity to get credentials for a resource in another region, that's totally supported. Credentials vended from one region can be used from another.
Amazon Cognito is only available in 3 regions as of right now. They are US East (N. Virginia), EU (Ireland) and Asia Pacific (Tokyo). But I had a region other than one of these in console.aws.com. But now that I tried to created a Cognito identity at console.aws.amazon.com/cognito, I had to choose one of the regions listed above it is only supported in a subset of console.aws.com regions.
To answer the more important part of my question, it is OK to choose a different region here while Beanstalk is setup to serve your application from a different region is Yes. That is how I have it setup right now.
Related
We would like to access the aws xray which is deployed in multiple regions like Europe, US-east and US-west.
I would like to access these using access key id and secret access key id and maybe session token as well.
I want to know is it necessary to specify the region while accessing the aws xray resources of these regions.
What if I don't specify the region and just specify the keys to access the AWS resource (aws xray); will we be able to access those?
Customer-centric exact issue:
We have to talk to a customer, he is going to say that he has deployed AWS xray in three regions.
We usually access the Customer's resource and get data and do some processing.
So What details we should say to the customer that we would need from him ?
Thanks in advance.
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
In case you need to provide access to an externally authenticated users (identity federation): https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html
AWS X-Ray traces are stored in specific regions as configured on X-Ray Daemon or the AWS managed services. If you want to use X-Ray APIs to send or fetch traces, you'll have to provide the region as well.
Are there any specific X-Ray APIs/Resources you're looking to use?
Though the console AWS Account > IAM > Account Settings your able to enable and disable regions
Is there a way to do that through either Boto3 or Terraform ?
That page you are referencing is only for enabling/disabling regional endpoints of the AWS STS service. That doesn't actually disable the use of a region. I can't find any API to manage this setting programatically.
You can enable/disable regions at the account level by logging in as the AWS account administrator and going to My Account -> AWS Regions. However only "opt-in" regions can be enabled or disabled. At this time the only "opt-in" regions are "Middle East (Bahrain)" and "Asia Pacific (Hong Kong)". All other regions are "Enabled by default" on an AWS account and cannot be disabled. Again, I am not aware of an API to manage this setting.
If you want to restrict IAM users from accessing or creating resources in specific regions the correct method of doing this is through IAM policies, per this AWS Blog Post. This of course can be managed through the IAM API.
Can i connect to different account AWS services(s3, dynamoDb) from my account ec2 using VPC Endpoint?
Amazon S3 and Amazon DynamoDB are accessed on the Internet via API calls.
When a call is made to these services, a set of credentials is provided to identify the account and user.
If you wish to access S3 or DynamoDB resources belonging to a different account, you simply need to use credentials that belong to the target account. The actual request can be made from anywhere on the Internet (eg from Amazon EC2 or from a computer under your desk) — the only things that matters is that you have valid credentials linked to the desired AWS account.
There is no need to manipulate VPC configurations to access resources belonging to a different AWS Account. The source of the request is actually irrelevant.
We currently have a webapp running in AWS Region Ireland (service for the UK) and are planing to expand the service into the US.
In order to be sure that the US users get a low latency experience we are considering mirroring the AWS resources used Ireland in the US.
The data for the US users should be stored in the US region, the UK data in Ireland. (There is no need to report across both regions).
We are thinking of building a centralised login services that runs in the Ireland region. After successful login the user will be redirected to the region where his data is stored. (The login service has to know in which region the data is stored)
Has anyone built something similar? Any recommendation how to approach this?
Would Amazon Cognito support such a setup (if we build the login service based on cognito)?
Currently Amazon Cognito does not support this out of the box.
But if you use Cognito User Pools with Federated identities the credentials you get can be used in any AWS region. Along with that you can store a custom attribute for the user defining the region to which that user belongs and then redirect them accordingly.
Some days ago I have created an Identity Pool. My region is eu-west-1.
And today I don't know how to see the information relative to this:
when I go to the Amazon Cognito console, it says me:
Region not supported
Cognito User Pools are currently only available in US East (Virginia).
And after it only propose me to create a new User Pool.
So why the console say me that Cognito is only available in US East in spite of I could created a pool for my region which is EU West and how can I access to my identity pool ?
When you enter Cognito Console, you should select 'Manage Federated Identities' and not 'Manage User Pools' to see your identity pools.
Cognito User Pools is a new service that allows you to easily provide sign up and sign in functionality to your users and is only available in us-east-1.