Cognito

AWS Cognito 筆記。

Overview

Give users an identity to interact with your web or mobile application.

User Pool

Features

Create a serverless database for app and web
Login: username/email & password combination
Password reset
Email & Phone Number Verification
Multi-factor Authentication (MFA)
Federated Identities: users from Facebook, Google, SAML

Integration

Integrate with API Gateway & Application Load Balancer

Identity Pool (Federated Identities)

Provide AWS credentials to users so they can access AWS resources directly
Integrate with Cognito User Pools as an identity provider

Row Level Security in DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "..."],
    "Resource": ["arn:aws:dynamodb:us-west-2:123456789012:table/MyTable"],
    "Condition": {
      "ForAllValues:StringEquals": {
        "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]
      }
    }
  }]
}

AWS JWT Token

Header

{
  "kid": "key-id-123456",
  "alg": "RS256",
  "typ": "JWT"
}

Payload

{
  "sub": "user-uuid-123456",
  "cognito:groups": ["your_user_pool_id_Google"],
  "iss": "https://cognito-idp.your_region.amazonaws.com/your_user_pool_id",
  "version": 2,
  "client_id": "aws-123456-aws-use-client-id-replace-aud",
  "token_use": "access",
  "scope": "openid profile email",
  "auth_time": 1672545600,
  "exp": 1735617600,
  "iat": 1672545600,
  "jti": "token-unique-identifier-123456",
  "username": "google_106955291718272375458"
}

IAM