Identity and Access Management solution on Amazon Web Services

by Nick Tyson and Paul Melia | on

With competition for customers, the user experience is critical to the success of a retail website. A great deal of time is spent tuning photos, the number of clicks, and looking at cart abandon rates. But what if you are losing customers before they even get through the front door? Set yourself apart by embracing customer identity and access management (CIAM). Security and convenience can combine to deliver a better customer experience for retail customers on Amazon Web Services (Amazon Web Services).

The Password Problem

Historically, logging into a website was easy—a simple eight-character password. However, as security has become increasingly critical for online retailers, passwords have become a complex combination of upper case, lower case, symbols, numbers, along with a remembered place. Relying on passwords makes it difficult to be secure and user friendly.

The Solution

By using Amazon Web Services services, it is possible to have the level of security required, without relying on complex passwords. Biometrics, tokens and other identifiers, effortlessly let your customers access their accounts and make purchases. For example, customers could have already authenticated with Amazon, Apple or Facebook, and we can now use that existing connection to log into your website without the customer having to remember an additional login. Building a bespoke system to integrate with biometrics and social media identities is an enormous task for any retailer, and the ongoing maintenance is significant.

There are many Amazon Web Services services which can help make implementing a CIAM passwordless solution as straightforward for you as it is for your customers to use.

Let’s look at the benefits for you and for your customer.

  • Ease of implementation: You can quickly integrate a wide range of passwordless solutions on your existing website: fingerprints, face scan or federated social media.
  • Security: Using Amazon Web Services services for CIAM means you immediately acquire proven security used by customers around the World, ensuring your customer’s data is secure.
  • Scalability: As your business grows, the CIAM solution can scale with you. Amazon Web Services handles the load by scaling up during your peak periods and scales down during quiet times—meaning your costs are based only on the compute you use.
  • Personalization: By having your customers effortlessly login to your website, there is a greater opportunity to offer your customers a personalized experience—using their name, and showing products and offers that will be relevant to them.
  • Stay Engaged: A frustrating login process can lead customers to competitors or result in abandoned carts, rather than awaiting password resets and suitable complex passwords to be accepted.
  • Brand Loyalty: The ease with which a customer interacts with you can foster loyalty.
  • Customer Insights: By making customer logins seamless, a customer is more likely to stay logged in so they can receive a personalized experience—giving the retailer more customer data to help drive decisions.
  • Compliance: Using existing Amazon Web Services services helps ensure a high compliance level. To help keep you on top of changes to regulations, Amazon Web Services services have publicly available compliance pages where you can check current standards.
  • Customer lifecycle management: Customers can self-serve when they need to change their profile without having to call contact centers.

High-Level CIAM Architecture

Typically, the first service to implement is Amazon Cognito , which provides customer profile management and authentication methods as discussed prior. It enables a retailer to offer a frictionless customer experience.

Amazon Cognito will handle the creation of customer accounts and connecting to the customer’s preferred authentication method. Once in place, the retailer can be assured of automatic scalability and be able to gain deep insights from the data available in databases or file systems.

Amazon Cognito high-level architecture overview Amazon Cognito high-level architecture overview

With Amazon Cognito implemented customers can now create accounts and manage their profile through self-service. This means calls to customer service is reduced—greatly enhancing the customer experience.

Other benefits:

  • The experience the customer has can be better personalized through knowing your customer’s order and browsing patterns.
  • Your clickstream data can now be augmented with specific customer data.
  • Customers won’t be troubled for passwords at checkout that previously resulted in abandoned carts.
  • The improved experience will mean greater loyalty.

Expanding the solution

With the initial setup of Amazon Cognito in place, there are further opportunities to develop the solution and continue to improve the customer experience and security. The following services seamlessly integrate into Amazon Cognito—adding functionality and security to create a secure, scalable, and flexible CIAM solution.

1. Amazon Web Services Lambda : Amazon Cognito provides a fully managed user creation, authentication and authorization service. However, Amazon Web Services Lambda is a compute service that lets you run code without provisioning or managing servers. You can decide to trigger Lambda through the Amazon Cognito workflow if you wish to add customer messages or design different workflows based on customer type; new, returning, or credit customer.

2. Amazon Web Services Secrets Manager or Amazon Web Services Key Management Service (Amazon Web Services KMS): These services manage sensitive information and help to handle credentials securely. They are critical in maintaining the overall security posture of your CIAM solution. Secrets Manager will allow you to safely build customized application flows without reducing the security gained by using Amazon Cognito for customer authentication. Amazon Web Services KMS lets you create, manage, and control cryptographic keys across your applications and Amazon Web Services services, thereby keeping your keys separated from the login process.

3. Amazon Simple Notification Service (Amazon SNS): Amazon SNS can be integrated with Amazon Cognito to enable multi-factor authentication (MFA) (as well as other critical messages) to ensure a powerful CIAM solution. Connecting to Amazon SNS is useful if you wish to send one-time passcodes (OTP) to customers at certain points of the journey or for every login. Integration with Amazon SNS is available out-of-the-box with Amazon Cognito.


With retailer’s margins being squeezed, the customer experience becomes a key differentiator. Embracing a CIAM solution on Amazon Web Services can significantly improve your customer’s experience by prioritizing user friendly, secure authentication methods. Moving away from traditional passwords to biometrics, tokens and social media identities further enhances the customer experience and builds trust.

A CIAM solution built with Amazon Web Services services offers an ease of deployment and integration, with strong security, scalability and compliance. CIAM is a strategic move for retailers to stay one step ahead in the competitive online market.

Contact an Amazon Web Services Representative to know how we can help accelerate your business.

Further Reading

  • Amazon Web Services Well Architected Review Security Pillar
  • Security, identity, and Compliance
  • Digital Commerce Solutions