Multi-Tenant AI Service Security with AWS Cognito

Question

Pulumi · Accepted Answer

To secure a multi-tenant AI service using AWS Cognito, you would typically create a user pool to manage users for your AI service and use identity pools to grant users access to AWS resources. Cognito provides user sign-up and sign-in services, and customizable user interface for authentication. Additionally, you can set up roles and permissions for authenticated and guest users.

Here is what you would generally need in terms of AWS Cognito resources:

1. **Cognito User Pool**: This will act as a user directory to manage sign-up and sign-in functionality.
2. **Cognito User Pool Client**: This will allow your application to interact with the user pool using an app client.
3. **Cognito Identity Pool**: This will enable you to authorize users to access other AWS services.
4. **IAM Roles**: These define permissions for actions that your Cognito identity pool authenticated and unauthenticated users can perform.

Let's create a basic Pulumi program in Python to set this up:

```python
import pulumi
import pulumi_aws as aws

# Create an Amazon Cognito User Pool
user_pool = aws.cognito.UserPool("aiServiceUserPool",
    auto_verified_attributes=["email"])

# Create an Amazon Cognito User Pool Client
user_pool_client = aws.cognito.UserPoolClient("aiServiceUserPoolClient",
    user_pool_id=user_pool.id,
    allowed_oauth_flows=["code", "implicit"],
    allowed_oauth_flows_user_pool_client=True,
    allowed_oauth_scopes=["phone", "email", "openid", "profile", "aws.cognito.signin.user.admin"],
    callback_urls=["https://example.com/callback"],
    logout_urls=["https://example.com/logout"],
    default_redirect_uri="https://example.com/callback",
    explicit_auth_flows=["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", 
                         "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"],
    generate_secret=True)

# Create an Amazon Cognito Identity Pool
identity_pool = aws.cognito.IdentityPool("aiServiceIdentityPool",
    allow_unauthenticated_identities=False,  # Set to True if you want to support unauthenticated logins
    cognito_identity_providers=[{
        "client_id": user_pool_client.id,
        "provider_name": user_pool.endpoint,
    }])

# Define IAM roles
authenticated_role = aws.iam.Role("cognitoAuthenticatedRole", assume_role_policy=pulumi.Output.all(
    identity_pool.id).apply(lambda identity_pool_id: json.dumps({
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": identity_pool_id,
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated",
                },
            },
        }],
    })),
)

# Attach policies to the authenticated role
# The policies will depend on the specific AWS resources your AI service needs to access
example_policy = aws.iam.RolePolicy("examplePolicy",
    role=authenticated_role.name,
    policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::examplebucket/*"
            ]
        }]
    }""",
)

# ...

# Outputs for client interactions with the frontend
pulumi.export('user_pool_id', user_pool.id)
pulumi.export('user_pool_client_id', user_pool_client.id)
pulumi.export('identity_pool_id', identity_pool.id)
pulumi.export('authenticated_role_arn', authenticated_role.arn)
```

In this program, we first create a Cognito User Pool named `aiServiceUserPool` and make sure it can auto-verify emails. Then, we create a User Pool Client (`aiServiceUserPoolClient`) with required OAuth and authentication settings. The User Pool Client is an entity that allows your app to interact with the Cognito User Pool.

Next, we set up an Identity Pool (`aiServiceIdentityPool`) that will be used to manage identities and federate access to AWS resources for your users. In this example, we don't allow unauthenticated identities to emphasize security, but you could enable this for guest access.

We also define IAM roles for authenticated users to specify permissions within AWS. Modify `example_policy` to provide the necessary permissions for your AI service, for example accessing S3 buckets, invoking Lambda functions, or any other AWS services your application needs to interact with.

Finally, we export the IDs and ARNs as outputs since those will be necessary for integrating with your frontend or backend application that will call AWS resources on behalf of your authenticated users.

Keep in mind that to fully implement a multi-tenant system, you may need additional logic to handle data isolation and multi-tenancy within your AI service application layer or databases. This Pulumi program focuses on the AWS security aspect through Cognito.