Post on 11-Aug-2015
Authenticate users
Authorize access
Synchronize app state
Manage users and
identity providers
Securely access
cloud resources
Sync user prefs
across devices
Media
sharing
mobile
app
Send push notifications
Store shared data
Store mediaStore user-generated photos
Media and share them
Bring users back to your app by sending
messages reliably
Store and query fast NoSQL data
across users and devices
Collect real-time clickstream logs
and take actions quickly
Stream real-time data
Authenticate users
Authorize access
Synchronize app state Send push notifications
Amazon Cognito
(Identity Broker)
AWS Identity and
Access Management
Amazon Cognito
(Sync) Amazon SNS
Mobile Push
Store and share media
Amazon S3
Transfer Manager
Store shared dataAmazon DynamoDB
(Object Mapper)
Stream real-time dataAmazon Kinesis
(Recorder)
Media
sharing
mobile
app
User identity and sync with Amazon Cognito
Amazon Cognito Overview
Manage authenticated
and guest users across
identity providers
Identity Management
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Securely access AWS
services from mobile devices and platforms
Secure AWS Access
Guest
Amazon Cognito: Use cases
Identity across the web and mobile
State transition
State transition
State transition
Game state
Amazon Cognito: Identity
Amazon Cognito
Identity
Providers
Unique
IdentitiesJoe Anna Bob
Any Device
Any Platform
Any AWS
Service
Helps implement security best practicesSecurely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management
Support Multiple Login ProvidersEasily integrate with major login providers for authentication.
Unique Users vs. DevicesManage unique identities. Automatically recognize unique user across devices and platforms.
Mobile
AnalyticsS3 DynamoDB Kinesis
Amazon Cognito unauthenticated
Unique Identifier for Your “Things”“Headless” connected devices can also securely access cloud services.
Save Data to the CloudSave app and device data to the cloud and merge them after login
Guest User AccessSecurely access AWS resources and leverage app features without the need to create an account or logging in
Visitor
Preferences
Cognito
Store
Guest
EC2 S3 DynamoDB Kinesis
Amazon Cognito Authenticated Flow
Developer Authenticated Identities – Support Any Login
Amazon Cognito: Security best practices
Amazon Cognito Security
Set granular access permissions on AWS resourcesGet fine-grained access control to cloud resources.
Safeguard AWS CredentialsNo need to embed credentials in the app anymore. Get least-privileged temporary credentials.
Helps implement security best practicesSecurely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine
EC2 S3 DynamoDB Kinesis
Amazon Cognito: Cloud sync
What have customers told us about “Synchronized
Profile”
People have multiple devices and want to transition between devices.
Implementing a user profile that syncs across devices, OS, apps is hard.
It not only has to work when offline, but easy to integrate with existing apps.
Amazon Cognito Sync Features
• Store App Data, Preferences and StateSave app and user data to the cloud
• Work OfflineData persisted to local storage first. Local data is
available regardless of connectivity
• No BackendSimple client SDK eliminates need for server side
codeUser
Data
Identity Pool
Sync Data Model
• Identity Pool: Pool of app users. Can be
shared across apps.
• Identity: An individual user. Consistent
across identity providers. Can be a guest
user.
• Dataset: Per user grouping of data. The
most granular level of sync. Up to 1MB.
• Record: Key/Value pair user data
AWS Account
Dataset
IdentityIdentityIdentity
DatasetDataset
Identity
Pool
1:60
1:n
1:20
DatasetDatasetRecord
1:1024
Let’s build our app
2. Identity with Amazon Cognito
Amazon Cognito Security Architecture
End Users
App with
AWS Mobile
SDK
Access
to AWS
Services
Login OAUTH/OpenID
Access Token
Cognito ID,
Temp
Credentials
Access
Token
Pool ID
Role ARNs
Cognito ID
(Temp
Credentials)
DynamoDB
Developer
Cognito Identity
S3
Mobile Analytics
Cognito Sync
Store
AWS
Management
Console
Create an unauthenticated identity
AWSCognitoCredentialsProvider *credentialsProvider =[AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1
accountId:@"AWS_ACCOUNT_ID"identityPoolId:@"COGNITO_IDENTITY_POOL"
unauthRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/UNAUTHENTICATED_ROLE"
authRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/AUTHENTICATED_ROLE"];
AWSServiceConfiguration *configuration = [AWSServiceConfigurationconfigurationWithRegion:AWSRegionUSEast1
credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
Link a social profile, authenticated identities
NSString *token = FBSession.activeSession.accessTokenData.accessToken;credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): token };
• Logins is a Map• Can contain tokens from all supported providers
• Amazon• Facebook• Google• Your own identity system
Identity state changes
[[NSNotificationCenter defaultCenter] addObserver:selfselector:@selector(identityIdDidChange:)
name:AWSCognitoIdentityIdChangedNotificationobject:nil];
-(void)identityDidChange:(NSNotification*)notification {NSDictionary *userInfo = notification.userInfo;NSLog(@"identity changed from %@ to %@",
[userInfo objectForKey: AWSCognitoNotificationPreviousId],[userInfo objectForKey: AWSCognitoNotificationNewId]);
}
Let’s build our app
3. Synchronize app state
Save and sync preferences and state
// Create sync client and open dataset
AWSCognito *syncClient = [AWSCognito defaultCognito];
AWSCognitoDataset *dataset = [syncClient openOrCreateDataset:@”mediashare"];
// Save the current state of the application
[dataset setString:self.currentPhotoName forKey:@”latest_photo"];
[dataset synchronize];