In today’s world, securing user access to applications is a top priority for developers and DevOps teams. AWS Cognito and an Application Load Balancer (ALB) offer a robust solution for managing user authentication and ensuring secure access to your applications. In this guide, we’ll set up a secure user authentication flow by integrating AWS Cognito with an ALB for a containerized application deployed on ECS Fargate.

Setting Up the Environment: Prerequisites and Overview

Before we dive into the technical details, ensure you have the following prerequisites ready:

  • An AWS account
  • AWS CLI configured on your local machine
  • Docker installed
  • AWS Elastic Container Service (ECS) configured
  • A private Docker repository (AWS ECR recommended)
  • AWS Cognito user pool created

Overview

In this guide, we will:

  1. Create an ECS Fargate task definition for authentication.
  2. Configure a Dockerfile for the authentication application.
  3. Push the Docker image to a private repository.
  4. Deploy the application with ECS Fargate.
  5. Configure an Application Load Balancer (ALB) for HTTPS traffic.
  6. Set up AWS Cognito for user management.
  7. Integrate Cognito with ALB to secure user access.
  8. Test and verify the authentication flow.

Creating an ECS Fargate Task Definition for Authentication

The ECS Fargate task definition is the blueprint for running your containerized application. Here’s how you create it:

  1. Navigate to the Amazon ECS console.
  2. Under Task Definitions, click Create New Task Definition and select Fargate.
  3. Define the task role and assign permissions for ECS, S3, and other AWS services.
  4. Under Container Definitions, define your container image (from your private repository), set CPU and memory limits, and configure essential environment variables.
  5. Save and launch the task definition.

This will be the foundation for running the authentication application in a secure, scalable environment.

Dockerfile Configuration for the Authentication Application

Create a Dockerfile to package your authentication application. Below is a sample Dockerfile for a Node.js authentication service:

# Use the official Node.js 14 image

FROM node:14

# Create and set the working directory

WORKDIR /app

# Copy the package.json and install dependencies

COPY package.json .

RUN npm install

# Copy the rest of the application code

COPY . .

# Expose the application port (e.g., 3000)

EXPOSE 3000

# Start the application

CMD [“npm”, “start”]

Once the Dockerfile is created, build the Docker image using the command:

docker build -t my-auth-app .

Pushing Docker Image to Private Repository

To deploy the application on ECS, we must push the Docker image to a private repository, such as the AWS Elastic Container Registry (ECR).

  1. Authenticate Docker with AWS ECR:
    aws ecr get-login-password –region <region> | docker login –username AWS –password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com
  2. Create a new ECR repository:
    aws ecr create-repository –repository-name my-auth-app
  3. Tag and push the Docker image to ECR:
    docker tag my-auth-app:latest <account-id>.dkr.ecr.<region>.amazonaws.com/my-auth-app:latest

docker push <account-id>.dkr.ecr.<region>.amazonaws.com/my-auth-app:latest

Deploying the Application with ECS Fargate

Now that the Docker image is in your private repository deploy it using ECS Fargate.

  1. Create a new service using your task definition in the Amazon ECS console.
  2. Select Fargate as the launch type and configure the number of tasks for high availability.
  3. Set up networking by creating or selecting an existing VPC and subnets.
  4. Ensure that the ECS service is associated with the Application Load Balancer.

Configuring Application Load Balancer for HTTPS Traffic

To secure communication, we’ll configure the ALB to handle HTTPS traffic.

  1. Go to the EC2 console and navigate to Load Balancers.
  2. Create a new Application Load Balancer and select Internet-facing.
  3. Configure listeners for HTTP (port 80) and HTTPS (port 443). Ensure you attach an SSL certificate for HTTPS.
  4. Associate the ALB with your ECS service and configure a target group that points to your Fargate tasks.
  5. Under Listener Rules, redirect all HTTP requests to HTTPS for enhanced security.

Setting Up AWS Cognito for User Management

AWS Cognito provides an easy way to manage users and add authentication to your application.

  1. In the Cognito console, create a new User Pool.
  2. Configure user sign-up attributes, multi-factor authentication (MFA), and password policies according to your security requirements.
  3. Set up an App Client without a client secret, as this is required for ALB integration.
  4. Enable hosted UI for login, allowing Cognito to handle authentication.

Integrating Cognito with Application Load Balancer for Secure Access

Now, let’s integrate Cognito with the ALB for user authentication.

  1. In the ALB console, select your ALB and go to Listeners.
  2. Choose the HTTPS listener and click View/edit rules.
  3. Create a new rule that forwards all requests to Cognito for authentication.
  4. Select Authenticate using Cognito and choose the user pool you created earlier. Configure the Cognito App Client and set a redirect URL.

This setup will route all incoming traffic through Cognito for authentication before forwarding it to the ECS tasks.

Testing and Verifying the Authentication Flow

To ensure everything works as expected, test the entire flow:

  1. Access your ALB’s domain via HTTPS.
  2. You should be redirected to the AWS Cognito-hosted login page.
  3. After signing in with Cognito, the request should be routed to your ECS Fargate application.
  4. Verify the application’s response and confirm secure access.

If everything works correctly, congratulations—you’ve successfully implemented a secure authentication flow using AWS Cognito and ALB with ECS Fargate!

Conclusion

We’ve created a highly secure and scalable authentication mechanism by combining AWS Cognito, ECS Fargate, and Application Load Balancer. This setup ensures that only authenticated users can access your application, making it ideal for web applications that require secure access management.

References

Securing Amazon Elastic Container Service applications using Application Load Balancer and Amazon Cognito

How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps