rapid application development on aws

Rapid Application Development on AWS

Oren Reuveni, Solutions Architect AWSOren Katz, Solutions Architect AWS

This Session Is About:• “Rapid Application Development on AWS”

• Building and running application without having to manage infrastructure

Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB

Host the API and route API calls

Execute our app’s business logic

Generate temporary AWS credentials

NoSQL Data store

The Services We Are Going to Use

Amazon Elasticsearch

Analytics Cluster

ServiceCognito User Pools

Full System Architecture slide…

SpoTaxi

Amazon DynamoDB• Fully Managed NoSQL• Document Key-Value• Scales to Any Workload• Fast and Consistent• Access Control• Event Driven Programing

Amazon Elasticsearch Service• Easy Cluster Creation and Configuration Management• Near Real Time Analytics• Support for Elk• Security with AWS IAM: Using IAM in our Lambda functions to access ES • Monitoring with Amazon CloudWatch• Auditing with AWS CloudTrail• Integration Option with other AWS Services:

• CloudWatch Logs• Amazon DynamoDB• Amazon S3• Amazon Kinesis

Let’s Build The Data Store Tier…

AWS Lambda• Serverless Event Driven Compute Service• Event Driven Scale • Sub-Second Billing• Bring Your Own Code• Flexible Invocation Paths• Simple Resource Model• Granular Permission Control

• Let’s discuss shortly Lambda and Amazon EC2 Container Service (ECS)

Amazon API Gateway• Host multiple versions and stages of your APIs• Create and distribute Keys to Developers• Leverage Signature version 4 to authorize access to APIs• Throttle and monitor request to protect your backend• Utilize AWS Lambda• Benefits:

• Managed cache to store API respones• Reduced Latency and DDOS protection through Amazon CloudFront• SDK Generation for iOS, Android and JavaScript• Swagger Support• Request/Response Data Transformation• Utilize all services including on premise if you wish.

Amazon Cognito User Pools• Create and maintain a user directory• Sign-in to your web application or mobile app using user pools• Scale to hundreds of millions of users • Design to provide simple secure and low cost options• Use-Cases:

• User Sign-In and Sign-Up• Email or Phone number verification• Forgot password• User profile• SMS-Based MFA

Comprehensive User Scenarios

Email or phone number Verification

Forgot Password

User sign-up and sign-in

Users verify their email address or phone number prior to activating an account

Users can change their password if they forget it

Users sign-up using email, phone number or user name and password.Users can then sign-in.

User Profile Retrieve and update user profiles, including custom attributes

SMS-based MFAIf enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows

Authentication FlowAmazon Cognito

User Pools

Amazon API Gateway

Custom AuthorizerLambda Function

/pets Lambda Function

/n… Lambda Function

Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Lets walk through this step by step…

Amazon Cognito User Pools

Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 1: User signs up for an account with our Amazon Cognito User Pool, providing their email, telephone number & password (+ any custom attributes).

Amazon Cognito can automatically verify the user’s email address and/or phone number if required.Sig

nUp(at

tribut

es)

Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 2: At some point in the future, the user wants to sign in. We can now authenticate the user.

Authen

ticate

(user,

pass)

Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Optional: If MFA is enabled (either for this user, or all users), Amazon Cognito will SMS or email a one time authentication code to the user.

MFA Co

de

Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 3: After a successful authentication, Amazon Cognito responds with a signed JSON Web Token (JWT) containing the user’s details.

JWT To

ken

Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 4: You are now ready to call your backend API’s from your mobile application.

The JWT is passed in via the Authorization HTTP header.

GET /pets HTTP/1.1Host: ...Authorization: eyJraWQiOi…

Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 5: API Gateway calls your custom authorizer function which validates the JWT token and creates an IAM policy that defines which API resources the user can access (based on their user attributes in the JWT claims).


Authentication Flow


Amazon API Gateway




Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 6: Additionally, the custom authorizer function will need to check that the JWT hasn’t been tampered with.

To do this, it needs the signing public key (JWK) from Amazon Cognito.


Authentication Flow


Amazon API Gateway


/bid


Amazon DynamoDB Th

rott

ling

Cach

e

Logg

ing

Mon

itorin

g

Auth

Mobile apps

Step 7: If authentication was successful, the API call will be passed through to the backend Lambda functions where your logic sits.

Authentication is cached for each token (up to 1 hour).


Authentication Flow

/find

Let’s Build the Logic/API/Users Mgmt. Tier…

SpoTaxi

Appendix Slides…

SpoTaxi

rapid application development on aws

Technology