AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

AWS Mobile Services : Deep Dive on Amazon Cognito

Stefano Buliani (@sapessi)Jinesh Varia (@jinman)


How to build a mobile app today?


Authenticate users

Authorize access

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Store shared data

Stream real-time dataTrack Retention

Send push notifications

Manage users and identity providers

Securely access cloud resources

Sync user prefs across devices

Track active users, engagement

Manage funnels, Campaign performances

Store user-generated photosMedia and share them

Automatically detect mobile devicesDeliver content quickly globally

Bring users back to your app by sendingmessages reliably

Store and query fast NoSQL dataacross users and devices

Collect real-time clickstream logs and take actions quickly

Your Mobile

App


Introducing AWS Mobile Services

Amazon Cognito Amazon Mobile AnalyticsAmazon SNS Mobile Push

Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector

AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations)

Core Building Block Services

Mobile Optimized Connectors

Mobile Optimized Services

Your Mobile App, Game or Device App

AWS Mobile SDK, API Endpoints, Management Console

Compute Storage Networking Analytics Databases

Integrated SDK


Cross-platform, Optimized for Mobile



User identity & data synchronizationservice

Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables

Fast cross-platformAnalytics & reportingService

Powerful Cross-platformPush notification service

Recorder that can handle intermittent network connection

Easily upload, download to S3 and also pause, resume, and cancel these operations

Send email reliably from device

Access distributed buffering and queuing service


Fully Integrated AWS Mobile SDK

• Common authentication mechanism across all services

• Automatically handle intermittent network connections

• Cross-platform Support: Android, iOS, Fire OS

• Native SDKs optimized for Mobile OS, for example, uses the local offline caching architecture

• Reduced memory footprint; Pick and choose the service jars you need


Authenticate users

Authorize access



Synchronize data

Deliver media

Store shared data













Your Mobile

App


Authenticate users

Authorize access



Synchronize data

AWS Mobile SDK

Amazon Mobile Analytics

Deliver media

Amazon Cognito (Sync)

AWS Identity and Access Management

Amazon Cognito(Identity Broker)

Amazon S3Transfer Manager

Amazon CloudFront(Device Detection)

Store shared dataAmazon DynamoDB(Object Mapper)

Stream real-time dataAmazon Kinesis(Recorder)

Track RetentionAmazon Mobile Analytics

Send push notificationsAmazon SNS Mobile Push

Your Mobile

App


Amazon Cognito


Amazon Cognito

Simplifies Identity and Access Management

Securely access all AWS services from

Mobile device

Cross-device and Cross-platform Sync

Implement security best practices

“Your App data is secure, available offline, and kept in sync between devices”

Synchronize user’s data across devices and

platforms

Manage users as unique identities across

identity providers

Guest Your own Auth


Identity Providers

UniqueIdentitiesJoe Anna Bob

Any DeviceAny Platform

Any AWS Service

Helps implement security best practicesSecurely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management

Support Multiple Login ProvidersEasily integrate with major login providers for authentication.

Unique Users vs. DevicesManage unique identities. Automatically recognize unique user across devices and platforms.

Amazon Cognito Identity

Mobile Analytics

S3 DynamoDB Kinesis


Amazon Cognito for Unauthenticated Identities

Unique Identifier for Your “Things”“Headless” connected devices can also securely access cloud services.

Save Data to the CloudSave app and device data to the cloud and merge them after login

Guest User AccessSecurely access AWS resources and leverage app features without the need to create an account or logging in

VisitorPreferences

Cognito Store

Guest

EC2 S3 DynamoDBKinesis


Use Case: Unique Identity across the web and mobile


Use case: State transition

Users begin their life as guests


Later on they register an account

• The transition should be seamless


Later on they register an account

• The transition should be seamless



Multiple accounts can be linked

• You should have a consistent identifier


Use case: Game State


Getting Started with Cognito in 3 steps

Sign up for AWS Account and login to AWS Management Console

Download and integrate the Mobile SDK and store and sync user data in a dataset

Create identitypool for authenticated and unauthenticated users in the AWS Console


Demo: Amazon Cognito Console


Amazon Cognito Security

Set granular access permissions on AWS resourcesGet fine-grained access control to cloud resources.

Safeguard AWS CredentialsNo need to embed credentials in the app anymore. Get least-privileged temporary credentials.

Helps implement security best practicesSecurely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine

EC2 S3 DynamoDB Kinesis


Amazon Cognito Security Architecture

End Users

App with AWS Mobile

SDKAccessto AWS

Services

Login OAUTH/OpenIDAccess Token

Cognito ID, Temp

Credentials

Access TokenPool ID

Role ARNs

Cognito ID(Temp

Credentials)

DynamoDB

Developer

Cognito Identity Broker

S3

Mobile Analytics

Cognito Sync Store

AWS Management

Console


Developer-Authenticated Identities

Your own user authentication systemSeveral apps prefer to have their own username and password instead of public identity providers for authentication.

Manage mappings easilyCognito manages the mappings across login systems (public or private) using a unique Cognito ID

Easily integrate with existing systemsImplement GetOpenIdTokeForDeveloperIdentity() using our server-side SDKs like Java, Python, Ruby etc.

UsernameAnd Password

Your User Authentication

System


Developer Authenticated Identities

Cognito ID(Temp

Credentials)

DynamoDB

End Users

Developer

App with AWS Mobile

SDK

Accessto AWS

Services

Cognito Identity Broker

Get OpenID Token

Username password

Cognito ID, Temp Credentials

S3

Mobile Analytics

Cognito Sync Store

AWS Management

Console

OIDC TokenPool ID

Role ARNs

User Authentication System

(Running on AWS or not)

OIDC Token

OIDC Token


Amazon Cognito: Authorize Access using AWS IAM


Amazon Cognito (Identity Broker)

Identitypool

Identity Providers

Pool of identities that share the same trust policy

Access Policy

Access to AWS

Servicesidentitypool

Unauthenticated Identities

authenticated identities

AWS IAM Roles

AWS Account

Web Identity Federation

S3

DynamoDB

Get Delete Put


Access Policy for the IAM Role{ "Effect":"Allow", "Action":["s3:*"], "Resource":"*"} { "Effect": ”Deny", "Action": ["dynamodb:*"], "Resource": "*"}

{ "Effect": "Allow", "Action": [”cognito-sync:*"], "Resource": "*"}

AllowActions:

All S3, Sync store Operations

Resource:All resources within these services

DenyActions:

All DDB Operations

Resource:All resources


Access Policy Restriction{ "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",

"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/*"} { "Effect":"Allow", "Action":["s3:ListBucket","s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME"}{ "Effect": "Allow", "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"], "Resource" : [ "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME",

"arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME/index/INDEX_NAME" ]

}

AllowActions:

Certain operations

Resource:One bucket, table ..


Access Policy Restriction

{ "Effect":"Allow”,"Action” ["s3:PutObject","s3:GetObject","s3:DeleteObject”,”s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/Bob/*"} { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":”Bob/"}}}{ "Effect":"Allow", "Action":["s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME"}

AllowActions:

Certain operations

Resource:Within a bucket with specific prefix (user)


Access Policy Restriction (Policy Variables)

AllowActions:

All sync operations

Resource:Only to that identity

{"Effect": "Allow”,"Action": ["s3:GetObject”,"s3:PutObject”],"Resource": ["arn:aws:s3:::

myBucket/amazon/snakegame/${cognito-identity.amazonaws.com:sub}"]

}

{"Effect":"Allow","Action":"cognito-sync:*", "Resource":["arn:aws:cognito-sync:us-east-1: 123456789012:identitypool/

${cognito-identity.amazonaws.com:aud}/identity/

${cognito-identity.amazonaws.com:sub}/*"] }

AllowActions:

S3 Get/Put operations

Resource:Only to a specific part of bucket to that identity


Synchronize data across devices : Amazon Cognito (Sync)


What have customers told us about “Synchronized Profile”

People have multiple devices and want to transition between devices. Implementing a user profile that syncs across devices, OS, apps is hard. It not only has to work when offline, but easy to integrate with existing apps.


Amazon Cognito Sync

User Data Storage andSync

Any Platform

iOS/Android/FireOS

Store App Data, Preferences and StateSave app and device data to the cloud and merge them after login

Cross-device Cross-OS Sync Sync user data and preferences across devices with one line of code

Work OfflineData always stored in local SQLite DB first. Works seamlessly when intermittent or no connectivity

k/v data

Identity pool


Amazon Cognito Sync

Offline: The client SDK manages a local SQLite data store to allow the app to work even when connectivity is not available.

Fast: The methods to read and write data only interact with the local SQLite database.

Intelligent Sync: The sync method compares the local version of the data to the cloud sync store, pushes up deltas and pulls down new changes.

Flexible Conflict resolution: The sync method first reads the changes then writes its local changes to the cloud sync store By default Cognito assumes that the last write wins. Developers can override and implement their own conflict resolution programmatically

Local SQLite Cache


Sync Data Model

Identity Pool: Pool of app users. Can be shared across apps.

Identity: An individual user. Consistent across identity providers. Can be a guest user.

Dataset: Per user grouping of data. The most granular level of sync. Up to 1MB.

Record: Key/Value pair user data

AWS Account

Dataset

IdentityIdentityIdentity

DatasetDataset

Identity

Pool

1:60

1:n

1:20

DatasetDatasetRecord

1:1024

You

Your App

Your App Users

User Data Container

User Data


Sync Data Model - Example

Userpreferences

Developer has two apps: a game and a

productivity app

Game state

Identitypool1

Productivity App

GameApp

AWS Account

Dataset

IdentityIdentityIdentity

DatasetDataset

Identity

Pool

1:60

1:n

1:20

DatasetDatasetRecord

1:1024

You

Your App

Your App Users

User Data Container

User Data


Integrating Cognito Sync functionality is dead simple

Initialize the CredentialsProvider and CognitoClient

Call synchronize on the dataset

Create or open Dataset and Add Key Values

provider = new CognitoCachingCredentialsProvider (context, AWS_ACCOUNT_ID, COGNITO_POOL_ID, COGNTIO_ROLE_UNAUTH,

COGNITO_ROLE_AUTH, Regions.US_EAST_1);

cognito = new CognitoSyncManager (context, COGNITO_POOL_ID, Regions.US_EAST_1, provider);

dataset.synchronize(new SyncCallback(){..});

cognito.openOrCreateDataset(datasetName);dataset.put(key, value);


Integrating Cognito Sync functionality is dead simple

Initialize the AWSCognitoSyncClient

Call synchronize on the dataset

Create or open Dataset and Add Key Values

DataSet *dataset = [syncClient openOrCreateDataSet:@"myDataSet"];NSString *value = [dataset readStringForKey:@"myKey"];[dataset putString:@"my value" forKey:@"myKey"];

AWSCognitoSyncClient *syncClient = [[AWSCognitoSyncClient alloc] initWithConfiguration: configuration];

[dataset synchronize];

iOS


Simple and predictable pay as you go pricing

Amazon Cognito

Free Tier (for first 12 months):1 Million syncs/month + 10GB of storage for Amazon Cognito

Thereafter:$0.15 for 10K Syncs$0.15 per GB for storage

Number of monthly sync operations

1,000,000

Monthly sync charge (1,000,000 / 10,000) * $0.15 = $15

Sync store space 4.77GB

Monthly sync store charge

4.77 * $0.15 = $0.72

Total charge $15.72


Summary


Authenticate users

Authorize access



Synchronize data

Deliver media

Store shared data













Your Mobile

App


Authenticate users

Authorize access



Synchronize data

AWS Mobile SDK

Amazon Mobile Analytics

Deliver media

Amazon Cognito (Sync)

AWS Identity and Access Management

Amazon Cognito(Identity Broker)

Amazon S3Transfer Manager

Amazon CloudFront(Device Detection)

Store shared dataAmazon DynamoDB(Object Mapper)

Stream real-time dataAmazon Kinesis(Recorder)

Track RetentionAmazon Mobile Analytics

Send push notificationsAmazon SNS Mobile Push

Your Mobile

App


Key Takeaways










Integrated SDK


Key Takeaways: Amazon Cognito










Integrated SDK

Cross Platform and Optimized

for Mobile

FlexibilityAnd Freedom

of Choice

Fully integratedand easy to get

started


Amazon Cognito

Free Tier (for first 12 months):1 Million syncs/month + 10GB of storage

Get Started Today With Cognito for Free!

http://aws.amazon.com/mobile

Cognito developer forum: https://forums.aws.amazon.com/forum.jspa?forumID=173

AWS Mobile blog: http://mobile.awsblog.com/

AWS Mobile SDK: http://aws.amazon.com/mobile/sdk/

Amazon Cognito: http://aws.amazon.com/cognito/

FAQ: http://aws.amazon.com/cognito/faqs/

https://forums.aws.amazon.com/forum.jspa?forumID=173



http://mobile.awsblog.com/

http://mobile.awsblog.com/

http://aws.amazon.com/mobile/sdk/

http://aws.amazon.com/cognito/

http://aws.amazon.com/cognito/

http://aws.amazon.com/cognito/faqs/

http://aws.amazon.com/cognito/faqs/


Thank You!

Jinesh Varia, Stefano Buliani@jinman, @sapessi

AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia

Documents

Transcript of AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia