RBAC vs ABAC with Amazon Cognito

A closeup screenshot of some code

What Is Amazon Cognito?

Amazon Cognito is an AWS-based serverless user access management service that allows you to control user identity, authentication, and authorization for mobile and web applications. It lets users sign in to your apps, either directly with their username and password or via a third party like Google, Facebook, or Amazon.

Amazon Cognito consists of two main components, which you can use together or separately:

  • User pools - these are user directories providing options for users to sign up or sign in. They let users log in to your application via Amazon Cognito or various external identity providers (IdPs). Every user in a pool has a profile in the directory that you can access using a software development kit (SDK). User pools offer built-in, customizable sign-in UIs, user migration and customized workflows with AWS Lambda triggers, and security features like multi-factor authentication (MFA).
  • Identity pools - these allow you to provide users with access to other Amazon services. Users can access services like DynamoDB and Amazon S3 using temporary credentials. Identity pools allow anonymous guests to access AWS services. They support identities authenticated by developers and various IdPs such as SAML and OIDC providers and social accounts such as Google, Facebook, and Amazon.

Amazon Cognito lets you implement two common authorization models: RBAC and ABAC. Let's see how you can implement each of these in Cognito, and how they compare.

AWS Cognito RBAC

Amazon Cognito identity pools allow you to implement role-based access control (RBAC). With RBAC, authenticated users receive temporary credentials with limited access privileges to your AWS resources. You create Identity and Access Management (IAM) roles that determine each user's permissions. You can specify rules that determine each user's role according to user ID token claims. You can also define default roles for authenticated users and separate, limited-privilege IAM roles for unauthenticated guest users.

You need to add appropriate trust policies for every role to ensure that Amazon Cognito only permits access to authenticated users in an identity pool. You can assign roles to Amazon Cognito user pools, which provide ID tokens for users who sign in through a user pool.

You can allow IAM users to set roles and additional permissions (to their identity pool permissions). You provide users with an IAM PassRole permission, which allows them to pass the role to a set-identity-pool-roles API.

AWS Cognito ABAC

You can implement attribute-based access control (ABAC) for your AWS resources using IAM permissions policies and Amazon Cognito identity pools. You can take attributes from the SAML assertions or access/ID tokens of various IdPs and map them to tags you reference in your IAM policies.

Amazon Cognito allows you to use default or custom mappings in identity pools. Default mappings let you write policies according to a predetermined set of attributes, while custom mappings let you choose custom attributes referenced in your IAM policies. In the Amazon Cognito console, you can map attribute names to tag keys for principals, which are tags referenced in the IAM permissions policies.

Cognito ABAC can be useful, for example, if you have a video streaming service with free and paid membership options. You can store your video files in Amazon S3, tagging them as free or premium. Attributes in user profiles allow you to grant access to users based on their type of membership.

If you map the membership attribute to a tag key for a principal, Cognito will pass it on to the IAM policy. ABAC thus allows you to create a uniform permissions policy that allows conditional access to premium content based on each user's membership level and the tags on each content file.

RBAC vs ABAC on AWS

Role-based access control defines user permissions according to an individual's job function (role). In AWS, we use the term job function because the term role typically refers to an IAM role, which is an identity applied to users. IAM also provides managed policies that match permissions with job functions using RBAC.

To implement RBAC in IAM, you create separate policies for each job function. You can attach policies to an identity, such as an IAM role, IAM user, or group of users. A best practice is to grant the lowest-level permissions required to complete a job (known as the principle of least privilege). You should list the resources that each job function can access.

The traditional RBAC approach has drawbacks in terms of policy management. When a user wants to introduce a new resource, you have to update your RBAC policies to incorporate the resource.

Attribute-based access control offers several advantages over traditional RBAC:

  • Scalability and support for innovation - ABAC permissions can extend to new resources without requiring an administrator to update the current access policy manually.
  • Policy management - ABAC doesn't require creating separate policies for each job function, so you can create fewer policies that are easier to manage.
  • Flexibility - ABAC allows teams to grow and change rapidly, given that it grants access permissions to new resources automatically based on user or team attributes.
  • Granularity - ABAC allows you to create granular policies and maintain a least-privilege approach. With RBAC, you have to write policies enabling access to specific resources, while ABAC can allow access to any resource with a tag that corresponds with the user's tag.
  • Utilization of the corporate directory - you can use your corporate directory to provide employee attributes. For example, you can configure a web or SAML-based IdP to forward session tags to AWS. When you introduce employees to AWS, they receive a principal identity with their attributes, which you use to grant (or deny) access permissions via ABAC.

Conclusion

In this article I explained the basics of Amazon Cognito and showed how to implement two types of authorization: Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). I showed that while Amazon Cognito supports both models, ABAC has several important advantages, including scalability, policy management, flexibility, and improved granularity.

I hope this will be useful as you plan your authentication and authorization strategy on AWS.

Enjoyed this article?

Share it with your network to help others discover it

Continue Learning

Discover more articles on similar topics