Thank you, a wonderful presentation. I especially enjoyed the part about the data isolation and the clear examples. One thing bothers me though. This talk simultaneously promotes Cognito and talks about augmenting the access token with custom claims. As far as I know, this is not possible to do in Cognito.
35:50 It is mentioned here that we can assign no permissions to the default identity, to prevent accidentally using a default identity that has more permissions. However, earlier it was mentioned that the session policy can only make permissions more restrictive than the default identity (to prevent privilege escalation)?
Hi Riva. 👋 I found this document that may help: go.aws/42RHP2N. This is also an excellent question to post to our community of experts over on re:Post: go.aws/aws-repost. 📬 ^SA
th-cam.com/video/NpThwz0z_D0/w-d-xo.html Why has the STS direct call a higher latency than cognito doing this on behalf of the user? In the end both ways need to wait for sts, right?
Thank you Michael! Great, thorough, and useful info in this presentation!
Greatest presentation on this topic!
Thank you very much. Useful details.
Happy to see you enjoyed the session, Srinivas! 📺🙌 ^RM
Thank you Michael for sharing your knowledge, great presentation!
Thank you, a wonderful presentation. I especially enjoyed the part about the data isolation and the clear examples.
One thing bothers me though. This talk simultaneously promotes Cognito and talks about augmenting the access token with custom claims. As far as I know, this is not possible to do in Cognito.
I'm glad you enjoyed the presentation, Matti. I have also gone ahead and sent your detailed feedback forward for review. 🧐 ^NR
35:50 It is mentioned here that we can assign no permissions to the default identity, to prevent accidentally using a default identity that has more permissions. However, earlier it was mentioned that the session policy can only make permissions more restrictive than the default identity (to prevent privilege escalation)?
Hi Riva. 👋 I found this document that may help: go.aws/42RHP2N. This is also an excellent question to post to our community of experts over on re:Post: go.aws/aws-repost. 📬 ^SA
Yes. This confuses me too. could @awssupport clarify the apparent contradiction here please.
th-cam.com/video/NpThwz0z_D0/w-d-xo.html Why has the STS direct call a higher latency than cognito doing this on behalf of the user? In the end both ways need to wait for sts, right?