Published by Socrates Ruiz at


Easy authentication on Amazon ECS

Amazon Elastic Container Service (Amazon ECS) is a highly scalable and fast container management service. We can deploy our containerized applications with this service with options to use either Fargate or EC2 as launch type, depending on our requirements.

One advantage of using containers is that we can pack all what our application will need inside the container without affecting other applications. This will also help us to start a microservice architecture, as each container should have only a single process running. Just one (small) part of our entire system, giving us the opportunity to scale each microservice independently, saving cost and also providing a high available and fault tolerant system, by using the feature of Auto Scaling which is also integrated in ECS. With all this, the developers can focus more on the code of the application and leverage all this operational tasks to AWS.


The simplest deployment for ECS can be like this:

We would have our cluster of ECS behind an Elastic Load Balancer (ELB), which will be associated to a Route 53 DNS record, so our users can start using our application. One big important point of this simple deployment is that our application is open to anyone over the internet.

We could restrict the access by doing a whitelist of IPs in our Security Group attached to our ELB, but that would only restrict the range of IPs that can access our application, anyone behind those IPs can still access. Therefore, it is a best practice to add a layer of authentication, and even further, authorization.

For that our developers could create a module in the application that will handle all these steps, but that will take time and effort for the team.

Amazon Cognito to the rescue

Thankfully there is an easier and direct way to do that, by using Amazon Cognito, which provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google or Apple.

By using Cognito, our deployment would be then like:

This way the request to the ELB can be authenticated with Cognito and the developers don’t have to change anything on the code to support this. That would be automatically handled by this integration out of the box.

To enable this we would have to use a ELB of type Application Load Balancer and we will assume Cognito has been already configured.

We go to EC2 -> Load balancers and choose the ELB where we want to enable the authentication:

Then we go to the listener we want to configure and click on “Manage rules”.


Then we edit the rule that is forwarding the traffic to our ECS cluster. We click on “Add Action” -> “Authenticate”. We should choose at least the Cognito user pool and App client and then click on “Update”.


After that our ELB rules should look like:

And that would be all, from that point onwards every request to our application will ask for our credentials and our developers didn’t have to change anything on the code.


With these steps we have seen how to enable authentication easily in our application by using Cognito and ELB. On this scenario, we are using ECS behind the ELB, but it can be also an Auto Scaling Group of EC2, a Lambda function or anything compatible with a Target Group for our ELB.

Please consider also that this is only one of many possible scenarios of having our application. We could also have API Gateway in front and integrate it with Cognito, but for that we will have a look some other time.

I hope this can help you to get familiar with the possibilities that we have on AWS and thanks for your time for reading this post.

img img