Cognito M2M charges $2500 per million auth requests and other IDPs also charge a king’s ransom for M2M authentication!
Instead, check out these five alternatives to allow services to communicate securely with each other.
In this post, we look at how you can implement fine-grained access control using Cognito access tokens and scopes. We will discuss the trade-offs of this approach and the cost implications of enabling Cognito’s Advanced Security Features (required for this approach to work).
Personally, I think this is too costly an approach and doesn’t offer enough upside in return.
Unless you’re using Advanced Security Features already, or your application has a high value per user (e.g. a B2B enterprise application), this approach may be difficult to justify in terms of return on investment.
A common narrative is that one should always use access tokens to call your APIs, while ID tokens are strictly for identifying users.
But how much of that actually makes sense when you use Cognito authorizers with your API?
Are ID tokens inherently less secure?
What is the cost of using access tokens instead?
Ultimately, is it safe to use ID tokens, or should you switch to access tokens?
Authentication and authorization are two distinct things.
API Gateway has built-in integration with Cognito, which handles authentication, but no fine-grained authorization.
There are many ways to implement a fine-grained authorization with API Gateway. In this new post, I will show you one of these ways and give you the pros & cons and when to use it.
This is a cost-efficient approach that leverages Cognito, but without needing its more expensive Advanced Security Features.
DynamoDB now supports resource-based policies, which simplified cross-account access to tables.
But just because you can, doesn’t mean you should!
Cross-account access to DynamoDB tables is almost always a smell. But as with everything, there are exceptions and edge cases. You should think carefully before you use resource-based policies to enable cross-account access to your DynamoDB tables.
In this post, let’s explore some legitimate use cases for cross-account access to DynamoDB tables.
When it comes to CI/CD roles, your instinct might be to lock them down to just what it needs. Because we all want to follow the principle of least privilege. But as you will see in this post, this comes with a hefty price in terms of developer productivity, and it’s not as secure as you might think.
So instead, I prefer a more holistic approach when it comes to securing CI/CD pipelines, involving account boundaries, SCPs, ABAC and the use of permissive roles. Come in and find out how.
You don’t need network security to keep your DynamoDB data safe. However, adding network security on top of IAM authentication and authorization is not a bad thing. Sometimes, it’s even necessary to meet regulatory requirements.
In this post, let’s see how to put DynamoDB in VPC so your data can only be accessed from within a VPC. We will look at what works best for feature teams and what works best for platform teams.
Managing and securing application secrets is a crucial part of any cloud-native application. AWS offers two primary services: the Systems Manager (SSM) Parameter Store and the more recent Secrets Manager. You might think Secrets Manager is the better choice for managing secrets because it’s a newer service and offers more advanced features such as cross-region …
The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager Read More »
Last week, we looked at implementing passwordless authentication using one-time passwords (OTPs) using Cognito [1]. Another popular passwordless authentication method is magic links where: The user initiates the sign-in process by entering their email in your application. They receive an email with a time-limited URL. The user clicks on the URL and is authenticated into …
Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide Read More »
Password-based authentication has long been the norm for securing user accounts. However, it is becoming increasingly clear that password-based authentication has several drawbacks. Such as the risk of password theft, the need for users to remember complex passwords, and the time and effort required to reset forgotten passwords. Fortunately, more and more websites have started …
Passwordless Authentication made easy with Cognito: a step-by-step guide Read More »
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.