rapid application development on aws
TRANSCRIPT
Rapid Application Development on AWS
Oren Reuveni, Solutions Architect AWSOren Katz, Solutions Architect AWS
This Session Is About:• “Rapid Application Development on AWS”
• Building and running application without having to manage infrastructure
Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB
Host the API and route API calls
Execute our app’s business logic
Generate temporary AWS credentials
NoSQL Data store
The Services We Are Going to Use
Amazon Elasticsearch
Analytics Cluster
ServiceCognito User Pools
Full System Architecture slide…
SpoTaxi
SpoTaxi
Amazon DynamoDB• Fully Managed NoSQL• Document Key-Value• Scales to Any Workload• Fast and Consistent• Access Control• Event Driven Programing
Amazon Elasticsearch Service• Easy Cluster Creation and Configuration Management• Near Real Time Analytics• Support for Elk• Security with AWS IAM: Using IAM in our Lambda functions to access ES • Monitoring with Amazon CloudWatch• Auditing with AWS CloudTrail• Integration Option with other AWS Services:
• CloudWatch Logs• Amazon DynamoDB• Amazon S3• Amazon Kinesis
Let’s Build The Data Store Tier…
AWS Lambda• Serverless Event Driven Compute Service• Event Driven Scale • Sub-Second Billing• Bring Your Own Code• Flexible Invocation Paths• Simple Resource Model• Granular Permission Control
• Let’s discuss shortly Lambda and Amazon EC2 Container Service (ECS)
Amazon API Gateway• Host multiple versions and stages of your APIs• Create and distribute Keys to Developers• Leverage Signature version 4 to authorize access to APIs• Throttle and monitor request to protect your backend• Utilize AWS Lambda• Benefits:
• Managed cache to store API respones• Reduced Latency and DDOS protection through Amazon CloudFront• SDK Generation for iOS, Android and JavaScript• Swagger Support• Request/Response Data Transformation• Utilize all services including on premise if you wish.
Amazon Cognito User Pools• Create and maintain a user directory• Sign-in to your web application or mobile app using user pools• Scale to hundreds of millions of users • Design to provide simple secure and low cost options• Use-Cases:
• User Sign-In and Sign-Up• Email or Phone number verification• Forgot password• User profile• SMS-Based MFA
Comprehensive User Scenarios
Email or phone number Verification
Forgot Password
User sign-up and sign-in
Users verify their email address or phone number prior to activating an account
Users can change their password if they forget it
Users sign-up using email, phone number or user name and password.Users can then sign-in.
User Profile Retrieve and update user profiles, including custom attributes
SMS-based MFAIf enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows
Authentication FlowAmazon Cognito
User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Lets walk through this step by step…
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 1: User signs up for an account with our Amazon Cognito User Pool, providing their email, telephone number & password (+ any custom attributes).
Amazon Cognito can automatically verify the user’s email address and/or phone number if required.Sig
nUp(at
tribut
es)
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 2: At some point in the future, the user wants to sign in. We can now authenticate the user.
Authen
ticate
(user,
pass)
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Optional: If MFA is enabled (either for this user, or all users), Amazon Cognito will SMS or email a one time authentication code to the user.
MFA Co
de
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 3: After a successful authentication, Amazon Cognito responds with a signed JSON Web Token (JWT) containing the user’s details.
JWT To
ken
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 4: You are now ready to call your backend API’s from your mobile application.
The JWT is passed in via the Authorization HTTP header.
GET /pets HTTP/1.1Host: ...Authorization: eyJraWQiOi…
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 5: API Gateway calls your custom authorizer function which validates the JWT token and creates an IAM policy that defines which API resources the user can access (based on their user attributes in the JWT claims).
GET /pets HTTP/1.1Host: ...Authorization: eyJraWQiOi…
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/pets Lambda Function
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 6: Additionally, the custom authorizer function will need to check that the JWT hasn’t been tampered with.
To do this, it needs the signing public key (JWK) from Amazon Cognito.
GET /pets HTTP/1.1Host: ...Authorization: eyJraWQiOi…
Authentication Flow
Amazon Cognito User Pools
Amazon API Gateway
Custom AuthorizerLambda Function
/bid
/n… Lambda Function
Amazon DynamoDB Th
rott
ling
Cach
e
Logg
ing
Mon
itorin
g
Auth
Mobile apps
Step 7: If authentication was successful, the API call will be passed through to the backend Lambda functions where your logic sits.
Authentication is cached for each token (up to 1 hour).
GET /pets HTTP/1.1Host: ...Authorization: eyJraWQiOi…
Authentication Flow
/find
Let’s Build the Logic/API/Users Mgmt. Tier…
SpoTaxi
SpoTaxi
Appendix Slides…
SpoTaxi
SpoTaxi
SpoTaxi
SpoTaxi
SpoTaxi
SpoTaxi