In the thirteenth post of the AWS series, we’re going to talk about 5 security-related services:
- Cognito (Auth)
- Config (Config overall management)
- System Manager (Centralize operational data)
- KMS (Key Management Service)
- Secrets Manager (Auto key rotation)
Cognito
- User management & authentication service, integrated with web / mobile apps
- Authenticate users through an external identity provider, provides temporary security credentials
- Cognito ID is represented as JWT (JSON web token). Cognito uses JWT for token authentication
User pools
- User directories that provide sign-up and sign-in options for app users
- Use aliasing feature to enable your users to sign up or sign in with email & password, or phone number & password
- User pools are each created in one AWS Region, and they store the user profile data only in that region. You can also send user data to a different AWS Region
- User Pools groups lets you manage your users and their access to resources by mapping IAM roles to groups
Signup auth flow chart
Sign in flow chart
After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources
![]()
Access resources with API Gateway and Lambda with a User Pool. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources, including Lambda functions
![]()
- After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool
![]()
- Grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (from a user pool or an identity pool). Cognito is also commonly used together with AWS Amplify
Identity pools
Grant your users temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB
To save user profile information, your identity pool needs to be integrated with a user pool
Support anonymous guest users
Support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider
The permissions for each authenticated and non-authenticated user are controlled through IAM roles that you create
User pools & Identity pools
- User pools are for user authentication (sign up / sign in)
- Identity pools for user authorization (temp AWS credentials to access resources). Rules to map users to different IAM roles
Cognito Sync
- Store and sync data across devices
- Trigger the sync of data sets between client devices and the Amazon Cognito sync store by using the
synchronize()method in the AWS Mobile SDK (synchronized()reads then writes latest version of user data) - Cognito Sync store is a key/value pair store linked to an Amazon Cognito identity
- With Cognito Streams, you can push sync store data to a Kinesis stream in your AWS account
Cognito & Lambda
- You can create an AWS Lambda function and then trigger that function during user pool operations such as user sign-up, confirmation, and sign-in (authentication) with a Lambda trigger
- You can create a Lambda function as a backend to Cognito that serves auth challenges to users signing in
- Cognito invokes Lambda functions synchronously. When called, your Lambda function must respond within 5s. If it does not, Amazon Cognito retries the call. After 3 unsuccessful attempts, the function times out
AWS Config
A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance
Provides pre-built rules to evaluate your AWS resource configurations and configuration changes, or create your own custom rules in AWS Lambda that define your internal best practices and guidelines for resource configurations.
- Config rules: change details to AWS resources to provide you with a configuration history, and auto deliver it to the specified S3 bucket
- Config enables you to record software configuration changes within your EC2 instances and on-premise servers
- OS configs
- System-level updates
- Installed applications
- Network configs
Provides configuration snapshot: a point-in-time (PIT) capture of all your resources and their configurations
Configuration item: A record of the configuration of a resource in your AWS account.
Config creates a configuration item whenever it detects a change to a resource type that it is recording
Monitoring
- SNS
- CW Events: detect and react to changes in the status of AWS Config events
- CT: capture all API calls to Config
System Manager
Centralize operational data from multiple AWS services, and automate tasks across your AWS resources
- You can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status
- Allows you to safely automate common and repetitive IT operations and management tasks across AWS resources
- Schedule windows of time to run administrative and maintenance tasks across your instances
SSM Agent
- Processes Systems Manager requests and configures machine as specified in the request
- Must be installed on each instance you want to use with Systems Manager.
- On newer AMIs and instance types, SSM Agent is installed by default
State Manager
- A service that automates the process of keeping your EC2 and hybrid infrastructure in a state that you define
🧡 Parameter Store (With CF: retrieve AMI ID, update-stack API in CF)
- Provides secure, hierarchical storage for configuration data and secrets management
- Store values as plain text or encrypted data
- Parameters work with Systems Manager capabilities such as Run Command, State Manager, and Automation
Monitoring
- SSM Agent writes information about executions, scheduled actions, errors, and health statuses to log files on each instance
- More efficient: config SSM Agent / CW Agent send log data to CW logs
- CW logs: monitor log data in real-time, search and filter log data by creating one or more metric filters, and archive and retrieve historical data when you need it
- CT: log System Manager API calls
Security
- System Manager is linked to IAM directly for access controls
KMS
- A managed service that enables you to easily encrypt your data
- highly available key storage, management, and auditing solution, encrypt data within your own applications and control the encryption of stored data across AWS services
- Integrated with CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when
- Customer master keys (CMK)
- To control access to data encryption keys that encrypt and decrypt your data
- Generate, encrypt & decrypt the data keys that you use outside of KMS to encrypt your data
- Master keys are 256-bits in length.
- KMS automatically rotate master keys created within KMS once per year without the need to re-encrypt data
- KMS stores multiple copies of encrypted versions of your keys in systems
CMK Types
- Customer managed CMK: keys that user create, own & manage
- Amazon managed CMK: keys in your account that are created, managed, and used on your behalf by an AWS service that integrates with KMS. User cannot manage CMKs or change permissions
- AWS owned CMKs are not in your account
Secrets Manager
- A secret management service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
- Encrypts secrets at rest using encryption keys that you own and store in KMS (CMK). When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment
- Rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI
- 🧡 Natively supports rotating credentials for databases hosted on RDS & DocumentDB, and clusters hosted on Redshift
- A secret consists of a set of credentials (user name and password), and the connection details used to access a secured service
- A secret also contains metadata & versions
- Multiple versions exist when you rotate the credentials
- Each version has an encrypted copy of the secret value
- To retrieve secrets, you simply replace secrets in plain text in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs
- Secrets can be cached on the client side, and updated only during a secret rotation
Secret Rotation
- When rotating secrets on natively supported services, Secrets Manager uses CloudFormation to build the rotation function and configure the network connection between the two.
- DB runs in a VPC, not publicly accessible: CF templates configs the Lambda rotation function to run in the same VPC. The rotation function can communicate with the protected service directly within the VPC
- Publicly accessible resource: CF configs the Lambda rotation function not to run in the VPC. Lambda rotation function communicates with the protected service via the publicly accessible connection point
🧡 By default, the Secrets Manager endpoints run on the public Internet. If you run your Lambda rotation function and protected database or service in a VPC, then you must perform one of the following steps:
Add a NAT gateway to your VPC (Enables traffic that originates in your VPC to reach the public Secrets Manager endpoint)
Configure Secrets Manager service endpoints directly within your VPC
Configures your VPC to intercept any request addressed to the public regional endpoint, and redirect the request to the private service endpoint running within your VPC
Security
- By default, Secrets Manager does not write or cache the secret to persistent storage
- By default, Secrets Manager only accepts requests from hosts that use TLS and Perfect Forward Secrecy
- Control access to the secret with IAM
- Tag secrets individually and apply tag-based access controls
- Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of 7 days