Amazon Cognito

CognitoはAWS上のシステムに対して認証・認可を行うサービス。

## Cognitoの処理フロー

## CloudFormationのサンプル
```
AWSTemplateFormatVersion: 2010-09-09
Description: The template for creating Cognito resource.

Parameters:
  LambdaFunctionArn:
    Type: String
    Description: Lambda function arn for lambda permission.

Resources:
  # user pool
  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: sample-user-pool
      UsernameAttributes:
        - email
      AutoVerifiedAttributes:
        - email
      UserAttributeUpdateSettings:
        AttributesRequireVerificationBeforeUpdate:
         - email
      Schema:
        - Name: email
          AttributeDataType: String
          Mutable: false
          Required: true
      UsernameConfiguration: 
        CaseSensitive: false
      MfaConfiguration: "OFF"
      EmailConfiguration: 
        EmailSendingAccount: "COGNITO_DEFAULT"
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: false
      VerificationMessageTemplate: 
                DefaultEmailOption: "CONFIRM_WITH_CODE"
      LambdaConfig: 
        PostAuthentication: !Ref LambdaFunctionArn

  # user pool client
  UserPoolClient:
    Type: "AWS::Cognito::UserPoolClient"
    DependsOn: UserPool
    Properties:
      ClientName: sample-apl-client
      GenerateSecret: false
      UserPoolId: !Ref UserPool
      ExplicitAuthFlows: 
        - ALLOW_REFRESH_TOKEN_AUTH
        - ALLOW_USER_SRP_AUTH

  ## identity pool
  IdentityPool:
    Type: "AWS::Cognito::IdentityPool"
    DependsOn: UserPoolClient
    Properties:
      AllowClassicFlow: false
      IdentityPoolName: sample-id-pool
      AllowUnauthenticatedIdentities: false
      CognitoIdentityProviders: 
        - ClientId: !Ref UserPoolClient
          ProviderName: !GetAtt UserPool.ProviderName

  # role for authorized access to AWS resources
  CognitoAuthorizedRole:
    Type: "AWS::IAM::Role"
    DependsOn: IdentityPool
    Properties:
      RoleName: "svls-role-cog-idpool"
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal: 
              Federated: "cognito-identity.amazonaws.com"
            Action: 
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - Effect: "Allow"
                Action:
                  - "cognito-identity:GetCredentialsForIdentity"
                Resource: "*"
  
  # Attach role to the Identity Pool
  IdentityPoolRoleMapping:
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    DependsOn: CognitoAuthorizedRole
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn
```