Does AWS Cognito supports Nested User Pools? - amazon-cognito

I am trying to find information/comments if aws cognito supports nested user pools. Think LDAP group of groups. Is this possible? Can anyone share your experience or point me to the right reads?
Appreciate it.

Related

Authorisation design using policies/permission using keycloak or in general

I'm quite new to the entire auth design and am still trying to understand how to use keycloak for authentication and authorisation.
Currently from what I understand in order to have authorisation enabled for a client you will need to have it in confidential.
After which I am kind of stuck in terms of how to set which policy for which permission.
I have a few types resources but currently placing them all under a single client for simplicity sake.
For my use case I have a workspace for users. So each workspace can have multiple users with different roles of owner,editor,viewer. And within the workspace there are artifacts. So it is some what like designing an authorisation for Google drive.
Would like some advice on how best to design it.
One way I have thought of is using groups and each workspace is a group. Using it to assign users to each group as a way to use the group policy for permission.
The other is really by creating multiple policy and permission for each artifact/resource and adding user to each policy for each workspace.
Would like any advice on authorisation design or even where to begin reading.
After some research I have come to these conclusion.
Yes these can be done by keycloak though most likely shouldn't be done in keycloak itself for its design.
Keycloak itself will most likely be more suitable in terms of authenticating/authorising on services or infra level. So this use case of having user be able to access workspaces or artifacts will be better done in application level having a separated service to handle the permission itself.
That being said if it really needs to be done in keycloak the design that I thought of that is not so scalable is as follow.
Create a policy/user and each workspace/artifact as a single resource. Depending on how many types of access/fine grain control is needed for each type of resource create the scope for each (e.g workspace:view, workspace:edit...). Then create a permission for each resource&scope. This allows fine grain access of basically assigning user to permission of each resource through the user policy.
But of course this design has its flaws of the need of too many policies, permissions and resources so it is better to have keycloak just handle the authentication part and authorisation is just giving users the role to be able to access a service and through the service check if the user is authorised for a certain action.

Check if user existed in cognito as federated user by using only email/username

I'm having trouble implementing a feature where I need check if a user does not exist or is existing in cognito but as federated user. The prior is done without trouble but I'm stuck on the latter without any clue. I went through the cognito and amplify documents but couldn't find any clue. Could there be a work-around or a function that I don't know about, any suggest is welcomed.
You can create a mutable custom user attribute on Cognito such as isFederatedUser and set this on user during user creation.
If this is not possible, you can call list-users and filter the identities attribute.

Kibana Fine Grained Access Control - Multiple Kibana Groups

I have different kibana roles set up in AWS Elasticsearch to protect different indices. These kibana roles are mapped to IAM roles, which are mapped to Cognito groups.
My plan was to assign users into the one or more cognito groups and this would grant them access to their respective kibana indices.
However, when I attempt to login with a Cognito token containing multiple elements in the cognito:roles collection, I receive an error: OpenDistro ES: Missing Role No roles available for this user, please contact your system administrator.
Is this expected? The examples only include users that are part of a single cognito group (either limited user or admin). I'm able to log in if I'm part of one cognito group but as soon as I am part of multiple, I receive the error above. I expected to have multiple kibana roles.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html
https://github.com/aws-samples/amazon-elasticsearch-service-with-cognito/blob/master/lib/search-stack.ts
Apparently that is a design limitation per AWS architect, although it does not help solve my use case:
The ES Fine Grained Access Control is designed to map only one backend
role with an IAM role for Cognito token . Will you be able to merge
multiple backend roles into one role? ,is this an option? .This will
has the benefit of grouping users with the similar needs ,you’ve less
number of Cognito groups and IAM roles to manage.
AWS WWCS Geo Solutions Architecture

How to safely extend credentials to other contributors to my S3-hosted OS project

I have an open source project with several contributors. The project's home page is hosted on Amazon S3. At the moment, the S3 bucket is on my personal account. Only I have access to it, and I pay the hosting (~$5 a month). There are other personal buckets on my account that contributors should not have access to.
I'd like to allow other contributors to modify the site. I'd also like to enable e.g. TravisCI to deploy to the site, which requires extending some credentials to third parties.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
Do I need MFA? If so, how to safely distribute TOTP keys?
Any provisions I should make for succession (i.e. bus factor)?
Anything else I should know?
Thanks for any ideas or experiences here.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
You should probably have an account for this project that is separate from any accounts you use for purposes unrelated to this project, for clean separation and in case you want to hand over control. What isn't in the account doesn't need to be protected from users who shouldn't see it.
Cross-account privileges are possible, so if others already have accounts, it's possible for you to authorize their existing credentials without knowing their secrets, but it's more complex.
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
You should absolutely create one for each contributor. That's kind of a no-brainer. Accountability.
Do I need MFA? If so, how to safely distribute TOTP keys?
It depends on your need for the added security. MFA is great and it's also a hassle. But you don't have to (and shouldn't) distribute the MFA secrets for virtual MFA. The user can log in with his/her credentials and create and download that themselves if you allow it.
Any provisions I should make for succession (i.e. bus factor)?
Heh, bus factor. Yes, you probably need a trusted adjutant with a high privilege level. In my accounts we don't actually use the root credentials, ever, but typically two people have a physical copy of the root credentials, though we do sometimes ride together in the same elevator, and we really shouldn't do that.
Anything else I should know?
Read the documentation. It takes a bit of time to sink in, but it takes less time if you get your hands dirty and play with it. Be sure when granting privileges that you verify that things which should not work do indeed not work, not just verify that things which should work indeed do work. But that applies to any authentication and authorization implementation.
Use IAM instance roles in EC2. Even if you can't think of a reason why an instance needs a role, give it one with no permissions anyway, because an instance can only be given a role at launch... yet Formerly, you could only add an IAM role to an instance at launch, but AWS announced on 2017-02-09 that you can now attach an IAM role to an instance after launch. As always, you can change the permissions granted to a role at any time.
Read about user groups. Attach users to groups and policies to groups to simplify granting the same privileges to multiple users.
Unrelated: activate billing alerts for your account to notify you when costs exceed thresholds you select.

AmazonEC2- Can an EC2 account be created programmatically?

Hello StackOverflow Community,
I've searched through Amazon EC2's API documentation, but I haven't seen an API to create/modify/remove an Amazon EC2 account programmatically. Does anyone know if this is possible?
Thanks,
Mauricio
If you are talking about creating new Amazon's user for EC2, it is not possible to do programmatically. As in any website registration it requires human interaction. Particularly you will need to provide credit card etc. I also was not able to find a way to create new set of credentials programmatically.
What is the overall problem you're trying to solve? Are you trying to create an AWS account? Or simply create a new set of credentials for accessing EC2?
It is not possible to create accounts programmatically, but depending exactly on what you are trying to achieve, you may want to use AWS IAM which allows you to create credentials with restricted access (so for example an user can list current instances, but not start or destroy them)