Authorization using Cognito + API Gateway + IAM
Authorization in SaaS Applications
Most of today’s Software as a Service(SaaS) applications offer different levels in which each level has assigned a set of operations where another level users can not access the operations of the level. To control this we need to implement Authorization which restricts users to access unauthorized resources.
Authentication vs Authorization
- It’s basically “Who you are” vs “What you can do”
- Authentication: I am an employee of the company. Here is my ID badge.
- Authorization: As an employee of the company, I am allowed entrance into the building.
Why Authorization is Needed?
- A balance between security and business progress.
- Plays a vital role in securing your application.
- It is extremely important to make sure the user can access whatever he/she is required to access, but no more and no less.
Types of Authorization
- RBAC — Role-Based Access Control which prevents users from accessing unauthorized resources based on their assigned role. e.g. HR Role — Can view salaries of employees.
- ABAC — Attribute-Based Access Control which prevents users from accessing unauthorized resources based on their attribute. e.g. region attribute in user details.
What is Cognito?
Amazon Cognito is an Amazon Web Services (AWS) product that controls user authentication and authorization. Amazon Cognito collects a user’s profile attributes into directories called user pools that a mobile app or web app uses to configure limited access to AWS resources. It has the following two concepts.
User Pools
- Granting access to an application.
- AWS Cognito UserPool is used to authenticate users for your applications.
- You just need to integrate AWS Cognito UserPools, which will manage user sign-up, sign-in, password policies.
Identity Pools
- Granting access to Amazon services.
- This is designed to allow different users, authenticated either through Cognito UserPools or Social logins (e.g; Gmail, Facebook, etc.) to have access to AWS Services under your AWS account.
- Identity pools provide temporary access credentials using which, the application is capable of accessing AWS resources, that are granted access to the assumed IAM policy for individual users.
User Pools VS Identity Pools
Pricing
Cognito charges are based on your monthly active users (MAUs) only. A user is counted as an MAU if, within a calendar month, there is an identity operation related to that user, such as sign-up, sign-in, token refresh, or password change. You are not charged for subsequent sessions or for inactive users within that calendar month.
If we are considering 1 lac MAUs, it can cost us around 50000 * 0.0055 = $275(~19600 INR) per month.
What is API Gateway?
- AWS API Gateway provides the platform to create REST APIs with minimal effort.
- We can run multiple versions of the same API simultaneously with API Gateway, allowing you to quickly iterate, test, and release new versions.
- We can easily monitor performance metrics and information on API calls, data latency, and error rates from the API Gateway dashboard
Pricing
If we are considering 10 million requests, it can costs us around 10 * 3.5 = $35(~2,500 INR) per month.
AWS Auth Strategy
There are two ways to authorize users using AWS.
- RBAC
- ABAC
RBAC(Role-Based Access Control)
To implement RBAC on AWS, we can use the following concepts of different AWS services. Assuming that we have API Gateway endpoints on which we are going to apply authorization to prevent unauthorized users from accessing those API endpoints.
- IAM(Role + Policy): We have to create a role of Cognito Web Identity type and need to assign the policy which will define the access criteria for API Gateway endpoints.
- Cognito User Pool(User store + User Groups): Now, we have to create a Cognito User pool where our users can be registered. While setting up we can have custom attributes like region, designation, etc. depending upon our needs. To assign created roles to users, we have to create a group in the Cognito user pool. Also, we need to create a client app that can access the users using the generated client id and pool id.
- Cognito Identity Pool(Temporary session credentials): Once the pool id and client id are generated you can create an Identity pool by referring to the created user pool. Once the identity pool is generated for that user pool, now you can generate temporary credentials. These credentials can be used to access the AWS resources, in this case, API Gateway.
ABAC(Attribute-Based Access Control)
The process to implement ABAC in AWS is similar to RBAC. The only difference is we have to use the custom attribute in the Identity pool. We can use the following concepts of different AWS services. Assuming that we have API Gateway endpoints on which we are going to apply authorization preventing unauthorized user access on these API endpoints.
- IAM(Role + Policy): We have to create a role of Cognito Web Identity type and need to assign the policy which will define the access criteria for API Gateway endpoints.
- Cognito User Pool(User store + Custom attribute): Now, we have to create a Cognito User pool where our users can be registered. While setting up we can have custom attributes like region, designation, etc. depending upon our needs. Also, we need to create a client app that can access the users using the generated client id and pool id.
- Cognito Identity Pool(Temporary session credentials): Once the pool id and client id are generated you can create an Identity pool by referring to the created user pool. While setting up the Identity pool, we have additional rules for the authenticated provider section. These rules can have conditions where we can have like oemName equals Google. If these conditions are satisfied then only the mentioned role can be applied. Once the identity pool is generated for that user pool, now you can generate temporary credentials. These credentials can be used to access the AWS resources, in this case, API Gateway.
