Securing Cloudfront using Cognito IDToken - amazon-cognito

Hi my website is hosted though cloudfront by using s3. Is there a way to secure access to my cloudfront using id token from my cognito user pool?

Related

Method to upload files to S3 bucket from mobile / web client - Serverless

I have a serverless application that uses AWS AppSync as the API layer and Cognito User Pool as the authentication service. There can be web / mobile users using the application. Each authenticated user should be able to upload photos to the S3 bucket. I am using Dynamo DB as the database.
What is the best way to implement the file upload process with the below requirements,
Each Cognito authenticated user should be able to upload/view photos in the s3 bucket.
The user should be able to upload multiple photos
Each file upload should be recorded in the database.
I saw there is a way to upload files with AWS pre-signed URL's but can I upload multiple files with that approach?
Since I have the Cognito authentication is there a direct way for authenticated users to access S3 buckets rather than pre-signed URLs?
If you are already using Cognito, you can secure your API Gateway method (the specific REST API method) with a Cognito User Pool.
That means you would have the following flow:
App -> HTTP request with Cognito Authorization Header -> API Gateway -> API Gateway method with Authorization set-up -> Lambda -> S3.
API Gateway’s Authorization settings would take care of securing the endpoint.
This is the guide for setting it up:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

AWS Cognito as an Open Id Authorizer for AWS AppSync

I need to use an AWS Cognito User Pool with the client_credentials OAuth Flow on a different AWS Account to be an authorization provider for an AWS AppSync App on a different AWS Account.
I added the Amazon Cognito Domain (test example below) to the Authorization Providers on AppSync
I was able to get a valid access token. However, when I used that token to make a request on AppSync I get the following error:
{
"errors": [
{
"errorType": "UnauthorizedException",
"message": "Valid authorization header not provided."
}
]
}
Is it possible to use the Amazon Cognito Domain as the OIDC Issurer URL on AppSync in a different account? Or am I using the wrong domain?
I know this pretty much works out of the box by using the "Amazon Cognito User Pool" authorizer provider but that only works if Cognito and AppSync is on the same account. I also got AuthO OIDC with client_credentials to work per this doc but would like to use cognito on a different account if possible.
The issuer URL should look like this:
https://cognito-idp.<aws-region>.amazonaws.com/<userpool-id>
Source:
https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

How protect Amazon S3 via Basic Authentification

I am new to S3 and am wonding how I could protect access to S3 or cloud front via Basic Authentification while installing a private certificate into Chrome, that allows access. Is there anything like this?
It is not possible to use Basic Authentication with Amazon S3 nor Amazon CloudFront.
Amazon S3 access can be controlled via one or more of:
Access Control List on the object level
Amazon S3 Bucket Policy
AWS Identity and Access Management (IAM) Policy
Amazon CloudFront has its own method of controlling access via signed URLs and signed cookies.

How can I allow limited access to API created in aws API gateway?

I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.

Integrating AWS Cognito with API for authentication

Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS token for validity. Any suggestions?
Thanks :)
Amazon Cognito was not designed to secure developer built APIs and I would caution you from using only the Amazon Cognito token to secure your API.
That being said, the vended Amazon Cognito token is a normal JWT signed using asymmetric encryption. This thread on the AWS forums has some example code in C# that another customer was able to use to verify the token.
Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.
You can retrieve the JWT tokens after authenticating users using Cognito. Pass the Access or ID token (depending on usecase) to your backend app and decode the token using any standard JWT decoder libraries.
Here is an article with sample code for reference explaining the process.