You are currently viewing content for use with Unreal Engine software. See all AWS GameKit documentation
Identity and authentication solution architecture
This topic offers a detailed description of the AWS solution that provides cloud-based backend services to support the AWS GameKit identity and authentication feature. You don't have to master this information before using AWS GameKit to build the feature into your game and maintaining it. However, it is useful in gaining a deeper understanding of the AWS services and resources that are deployed for your game backend. You always have the option to view the backend components directly in AWS and use them with other AWS services, such as for monitoring or analytics. If you want to further customize or extend your game's backend services beyond what is available through AWS GameKit, you need to understand the role of each component in the solution.
The identity and authentication backend architecture implements the following call flow to authenticate an API request from a game client:
-
A game client calls an identity and authentication API operation, which prompts AWS GameKit to send a request to the Amazon API Gateway endpoint.
Amazon Cognito verifies the game client’s access token, if present. If the token is absent or invalid, the client is redirected to the sign-in page.
Game client authenticates with the player's sign-in credentials (username/password or Facebook sign-in) and receives a Amazon Cognito ID token.
Game client repeats the API request with the Amazon Cognito ID token.
Game client request is passed through to the relevant Lambda function, along with the now-validated Amazon Cognito ID token.
Identity and authentication services
All AWS GameKit solutions rely on a core set of AWS services, as described in Core services.
The following services are used to manage identity and authentication activity:
Amazon Cognito
AWS GameKit creates a Amazon Cognito user pool to manage player identities and authentication credentials. The user pool can be configured to accept an email/password or a variety of external identity providers, including Facebook. Amazon Cognito manages the sign-in verification and password recovery workflows.
AWS Lambda
AWS GameKit uses a Lambda function to manage the process of storing identity information in an Amazon DynamoDB table when a player successfully registers.
Amazon DynamoDB
AWS GameKit creates a DynamoDB table to track player identity information. For example, a player's username can be linked to both an email address and their account with an external identity provider.
Identity and authentication data encryption
Player data is encrypted both in transit and at rest.
In transit, AWS GameKit uses transport layer security (TLS) 1.2 or later for communication between a game frontend and backend components on AWS. All AWS GameKit game features use the Amazon API Gateway service to accept and process API calls. Learn more in the API Gateway Developer Guide, Data protection in transit.
At rest, player identity data is encrypted by the AWS services that the identity and authentication game feature uses. These services comply with industry standards. Learn more about how these services handle data encryption at rest:
Amazon Cognito Developer Guide, Data protection in Amazon Cognito
Amazon DynamoDB Developer Guide, DynamoDB encryption at rest