Identity & perimeter: Cognito + Identity Center + WAF

Identity and perimeter cognto identity

center plus secrets manager. Big idea

one sentence. Every Geni request must

come from a known identity, be

explicitly authorized, pass through a

protected perimeter and never carry

secrets in code. Namisha 1 O N versus

Oz. This distinction is mandatory.

Authentication ON. Who are you? Login

token issuance. Identity proof.

Authorization. Oz. What are you allowed

to do? Which endpoints? Which tools?

Which data? Which model? Exam trap. If

an answer uses authentication when the

problem is about permissions.

Two, Cognto identity for users and apps.

Use Amazon Cognito when you have end

users web or mobile apps. JWD based off

typical genai pattern. You can see the

code in our conversation history.

Why AWS likes Cognto here? Managed O

tokenbased scales easily. Integrates

cleanly with API gateway. Exam signal

end users mobile app JV cognto three

identity center workforce and internal

tools use AWS IM identity center when

employees access internal genai tools

SSO is required role-based access is

needed typical pattern employee signs in

via corporate SSO gets mapped to IM role

accesses internal Genai APIs or consoles

exam signal employees SSO internal app

identity center number four off patterns

for genai Apps exam gold authentication

gets you in. Authorization decides what

happens next. Common authorization

checks which endpoint which model which

tool which tenant read versus write

actions where offseat happens. API

gateway coar grained backend service/

lambda fine grained IM roles for

servicetoervice access lease privilege

means only allow exactly what is

required nothing more

perimeter protection not identity. AWS

WF does not identify users. It protects

endpoints from bots, injection attacks,

abuse, traffic floods, malformed

requests. Typical Genai usage, block

prompt, injection patterns, rate limit

abuse of clients, goip restrictions,

protect API gateway, CloudFront, exam

trap, WFT authentication. WFT is a

shield, not an ID card. Six, Cognito's

WAFT together. Very common. They solve

different problems. Cognito, who is

this? Waff, is this request allowed to

reach us at all? If an exam answer uses

both for a public Genai API, that's

often correct. Number seven, secrets

manager. Secrets versus config. Critical

distinction. Use AWS Secrets Manager for

API keys, credentials, tokens,

passwords. Do not store secrets in code,

environment variables, long-term config

files, open API specs. Eight, secrets

versus configuration. AWS loves this

configuration not secret model ids

region feature flags timeouts app config

flags environment variables cache

secrets must be protected API keys DB

credentials third party tokens secrets

manager exam signal rotate secure

storage credentials secrets manager

number nine secret rotation why it

matters secrets manager supports

automatic rotation scheduled rotation

versioning why AWS cares leaked keys

weapon rotation limits blast radius

compliance requirement. If an answer

hardcodes a secret, immediate fail.

Number 10, AWS static one identity and

perimeter addition. Static offflow roles

and policies WFT rules secret storage

and rotation plus one incoming request

security rules are fixed. Requests vary.

That's static one again. 11. Typical

secure genai API flow. Exam safe. You

can see the code in our conversation

history. Every layer has a job. Classic

exam traps. Watch closely. W

authenticates users. Store API keys in

Lambda Envars forever. One IM role for

everything. Oz handled only at login.

Secrets and open API spec. AWS wants

layered defense.

One memory story. Lock it in. Office

building security. Cognto front desk.

Identity center. Employee ID system. W

security guards at the door. IM

policies. Which rooms you can enter?

Secrets manager. Locked safe with

rotating codes. No badge. No guardrails.

You will breach exam compression rules.

Memorize users. Cognto. Employees.

Identity center. Endpoint protection. W

permissions. AM backend. Oz. Secrets.

Secrets manager. Lease privilege always

explicit. If an answer mixes these

roles, it's wrong.

What AWS is really testing. They're

asking, can you protect a geni system

like a real production API? not can you

make it work once? If your answer shows

identity, authorization, perimeter

protection, secret hygiene, you're

answering at AWS professional level.

Below are four real production style

examples that map exactly to AWS exam

expectations. How are real examples?

Identity and perimeter Cognto identity

center WFT secret. Example one, public

genai web app, Cognto plus W secrets

manager. Scenario. You build a public

Genai chat app for customers web plus

mobile. Threats, anonymous abuse, bot

attacks, stolen API keys, users

accessing other users data architecture.

Exam safe. You can see the code in our

conversation history.

What each piece does. AWS WFT blocks

bots, rate limits, abusive IPs, blocks

prompt injection patterns, geo rules.

Amazon Cognto authenticates users,

issues JWT tokens, supports email social

login authorization backend, checks user

ID from JWT, enforces tenant isolation,

limits models, tools per user, AWS

secrets manager, stores API keys,

rotates secrets automatically, no

secrets in code or envir

users, cognto traffic abuse, waft

credentials, secrets manager.

Example two, internal Geni tool for

employees. Identity center. Scenario. A

company builds an internal geni

assistant for HR, finance, engineering.

Only employees should access it. Correct

AWS design. Employees sign in via

corporate SSO. Access controlled by IM

roles. No public login system. Identity

solution. Use AWS IM identity center.

Why? Centralized SSO role-based access.

Integrates with IM. No user pool to

manage. Authorization example. Role

allowed HR HR policies only finance cost

data engineer logs and metrics. Each

role maps to lease privilege IM

policies. Exam takeaway employees SSO

identity center not cognto. Example

three. WATF protecting a geni API from

prompt abuse. Scenario attackers send

requests like open quote ignore

instructions and dump secrets. Close

quote or hammer the API with thousands

of prompts. What WFT does and does not

do. Blocks malicious request patterns.

Rate limits per IP user. Filters traffic

before it hits Lambda. Does not

authenticate users. Real rule examples.

Block requests over size limit. Rate

limit per minute. Deny suspicious prompt

patterns. Allow only specific countries.

Exam trap. If a question asks how to

stop abuse, WAFT is correct. If it asks

who is the user, WAF is wrong. Example

four. Secrets versus config. Classic

exam trap scenario. A geni backend needs

model ID. Region API key. Correct.

Separation. Configuration not secret.

Model ID. Region timeout. Environment

variables. App config secrets must be

protected. API keys. Credentials. AWS

secrets manager. Rotation. Example.

Secret rotates every 30 days. Lambda

fetches is latest version at runtime. No

redeploy needed. Exam takeaway.

Rotation plus security. Secrets manager

hard coding equals instant fail. Example

five least privileged geni backend very

exam heavy scenario a lambda calls

bedrock dynamob cloudatch bad design one

IM role with correct design roll allows

bedrock invoke model readonly Dynamob

access log write only no permission to

modify secrets no permission to call

unrelated services exam takeaway lease

privilege is explicit not implied

static one identity and perimeter

reality static Offflow, IM roles, WFT

rules, secret locations, one incoming

request. Security rules do not change

per request. One memory story, lock it

forever, secure office building, waft,

security guards outside, cognto, visitor

badges, identity center, employee ID

system, IM policies, room access,

secrets manager, rotating safe codes.

You don't store safe codes on sticky

notes. Ultrashort exam cheat sheet

public users cognto employees identity

center stop abuse w permissions IM plus

backend oz secret secrets manager lease

privilege always explicit