Using AWS Cognito to secure web application hosted on EC2 without modifying web application

Question

I have a web application hosted on an EC2 instance that I own. I did not write the web application and do not have the source code for it, but I can run it and allow it to be accessed through the EC2 instance's public IP and a specific port (for example https://XX.XX.XX.XX:5000). It is connected to Route53 through a domain name that redirects to this address (for example, https://resource.example.com).

I only expect to have local friends using this web application (approximate 5-20 users). However I am having issues with random people stumbling upon the domain and messing around with the web application.

I would like to secure it somehow, preferably with an AWS service like Cognito. I do not want to whitelist IPs because I can expect my friends to move around to different WiFi networks (possibly in different cities or countries) and would like them to still have access. I do not have a lot of cloud development experience and would like a simple and fast approach.

The application flow would look something like this: user tries to access https://XX.XX.XX.XX:5000 or https://resource.example.com. User is not allowed access yet because they are not authenticated, and are automatically redirected to the Cognito hosted UI. They then sign in (using an account I provided them), and are redirected back to https://resource.example.com where they can use the web application freely. After some time their authentication token expires and they are no longer given access to the web application.

There are many tutorials on how to do this with applications that you own or can modify freely, but is it possible to do this when you cannot modify the underlying web application? For example, some sort of service monitoring connections to and from the EC2 instance that automatically checks for authentication and redirects to the Cognito hosted UI if authentication is invalid.

Answer 1

Welcome Alex. Personally I think you have the wrong approach here. AWS Cognito is an enterprise level authentication system which is really designed for integrating with an application. Basically it sounds like overkill for your use case.

I would suggest you look into securing your application through your web container. This will be much simpler and can be setup through a few basic configuration changes on your server.

You didn't say which web container you are running. I assume its probably Apache or NginX. In both cases the processes is similar. You use htpasswd to setup a password file on your server, which contains the usernames and passwords for your friends. You then tell Apache or NginX to authenicate using that file, and the rest is handled for you, simple!

Here are some instructions for Apache in case thats your container https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04

Answer 2

my two cents:

• use AWS Cognito User Pool to manage your user sign-up/sign-in. Cognito User Pool can even support social medial sign-in (Google, Facebook, etc) as well as MFA, it provides a customizable login web UI so you don't need to code your own sign-in page.

• change your current traffic routing (Route 53 -> EC2 instance) to Route 53 -> Application Load Balancer (authenticated with Cognito User Pool) -> EC2 instance

note: load balancer may incur extra cost