Posts Tagged ‘FedRAMP’
[AWSReInforce2025] Secure and scalable customer IAM with Cognito: Wiz’s success story (IAM221)
Lecturer
Rahul Sharma serves as Principal Product Manager for Amazon Cognito at AWS, driving the roadmap for customer identity and access management (CIAM) at global scale. Alex Vorte functions as Field CTO for Login and RBAC at Wiz, leading identity transformation initiatives that support FedRAMP authorization and enterprise compliance.
Abstract
The case study examines Wiz’s migration of 100,000+ identities to Amazon Cognito, achieving FedRAMP High authorization, 99.9% availability, and 70% cost reduction. It establishes best practices for CIAM modernization—migration strategies, machine identity integration, and SLA alignment—that balance security, scalability, and user experience.
Migration Strategy and Execution Framework
Wiz executed a phased migration across three cohorts:
- Pilot (0-10% users): Parallel authentication flows
- Canary (10-50%): Gradual traffic shift with feature flags
- Cutover (50-100%): Automated bulk migration
\# Bulk migration pseudocode
for user in legacy_db.batch(1000):
cognito.admin_create_user(
Username=user.email,
TemporaryPassword=generate_secure_temp(),
UserAttributes=user.profile
)
trigger_password_reset_email(user)
The platform processed 100,000 identities in under one year, with zero downtime during cutover.
Security and Compliance Architecture
FedRAMP High requirements drove design decisions:
- Encryption: KMS customer-managed keys for data at rest
- Network: VPC-private user pools with AWS PrivateLink
- Audit: CloudTrail integration for all admin actions
- MFA: Mandatory WebAuthn with hardware key support
Cognito’s built-in compliance (SOC, PCI, ISO) eliminated third-party audit burden.
Scalability and Availability Engineering
Architecture supports 10,000 RPS authentication:
Global Accelerator → CloudFront → Cognito (multi-AZ)
↓
Lambda@Edge for custom auth
SLA achievement:
– RTO: < 4 hours via cross-region replication
– RPO: < 1 minute with continuous backups
– Availability: 99.9% through health checks and auto-scaling
Machine Identity Integration
Beyond human users, Cognito manages:
- Service accounts: OAuth2 client credentials flow
- CI/CD pipelines: Federated tokens via OIDC
- IoT devices: Custom authenticator with X.509 certificates
// CI/CD token acquisition
CognitoIdentityProvider client = ...
InitiateAuthRequest request = new InitiateAuthRequest()
.withAuthFlow(AuthFlowType.CLIENT_CREDENTIALS)
.withClientId(PIPELINE_CLIENT_ID);
This unified approach reduced identity sprawl by 60%.
Cost Optimization Outcomes
Migration yielded 70% reduction through:
- Elimination of legacy IdP licensing
- Pay-per-monthly-active-user pricing
- Removal of custom auth infrastructure
- Automated user lifecycle management
Best Practices for CIAM Modernization
- Choose migration strategy by risk tolerance: parallel runs for zero-downtime
- Leverage Cognito migration APIs: bulk import with password hash preservation
- Implement progressive enhancement: start with email/password, add MFA/social later
- Align with product roadmap: design partner relationship for feature priority
Conclusion: CIAM as Strategic Enabler
Wiz’s transformation demonstrates that modern CIAM need not compromise between security, scale, and cost. Amazon Cognito provides the managed substrate that absorbs authentication complexity, enabling security teams to focus on policy and governance rather than infrastructure. The migration framework—phased execution, machine identity integration, and SLA engineering—offers a repeatable pattern for enterprises undergoing digital transformation.