Chapter 6. Managing identities
This chapter covers
- Introducing the identity features provided by Amazon Cognito
- Using external authentications already integrated with Amazon Cognito
- Integrating your own custom authentication
- Managing authenticated and unauthenticated identities in your application
In the previous chapter you learned how to use Lambda functions in different use cases, configuring the required permissions for those functions to act on other AWS resources such as S3 buckets or DynamoDB tables. But it’s still not clear how to manage authentication for external users interacting with AWS resources and Lambda functions via a client application (figure 6.1).
Figure 6.1. External users using AWS resources, such as Lambda functions from a client application, need to be authenticated and authorized. But for security reasons you can’t embed AWS credentials in the client application.
Amazon Cognito has been designed specifically to make it simple for external users and applications to assume a role on AWS and get temporary security credentials. Amazon Cognito makes it easy to follow AWS security best practices, such as not hard-coding AWS credentials whenever possible, especially where you can’t control access to those credentials, such as in a mobile app or JavaScript code downloaded from a web browser.