I'm looking for a way to secure the frontend of my application, which is running on an ecran and utilizing Route 53. I want to ensure that only my company's employees who are logged into AWS can access it, while denying access to everyone else. Any guidance on how to achieve this would be greatly appreciated!
5 Answers
Don't forget to check out Amazon Verified Access as an option too! It could provide a streamlined way to secure your access.
If there's an Application Load Balancer (ALB) in front of your app, you can actually leverage OIDC authentication without having to set up Cognito at all—this might save you some time!
A good starting point would be to use Amazon Cognito for authentication. It can help manage user access effectively. However, I noticed there's not much detail in your question, so it'd be helpful to have more context about your setup!
You can't directly gate frontend access based on being 'logged into AWS.' Instead, consider setting up federated authentication tied to your organization. Using Cognito or an identity provider like Okta or Azure AD with SSO can restrict access, allowing only users in your company directory to log in. For static hosting on S3 with CloudFront, implementing CloudFront authentication with Cognito or using signed URLs/cookies can also heighten your control. If you're aiming to block unwanted traffic at the edge, you might add a web ACL in WAF to permit only your corporate IP ranges, although that's less reliable than identity-based solutions.
The size of your organization can influence your setup. Cognito is generally more suited for managing large user bases accessing public applications. You might find that using an IAM role combined with security groups, or rules in a load balancer/API Gateway, alongside a connection to your existing identity provider could be a better fit.
Thank you very much!