GS logog-saravanan blog
Platform Engineering

Identity is the New Perimeter: Cognito for Private AI Workloads

Network boundaries don't scope LLM access. Use AWS Cognito groups and strict IAM with session tags so only the right employee can invoke the right model.

·2 min read·
#Cognito#IAM#PrivateAI

A private Bedrock endpoint inside a VPC is necessary but nowhere near sufficient. The auditor's next question is "who, specifically, can call which model with which data?" — and "everyone in the VPC" is not an answer that gets you to production.

Identity is the perimeter that matters. Here's the Cognito + IAM topology that enforces it.

The model

Employee ─► Cognito (SSO + MFA) ─► ID token with groups + dept claim
              │
              └─► STS:AssumeRoleWithWebIdentity
                       │ session tags: dept, clearance
                       └─► Role with Bedrock InvokeModel
                                 (scoped to model ARNs allowed for the claims)

Every Bedrock call is now attributable to a named human via the ID token, and the IAM policy enforces what they can invoke based on their group membership at token-issue time.

The IAM policy that does the work

{
  "Effect": "Allow",
  "Action": "bedrock:InvokeModel",
  "Resource": [
    "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-*"
  ],
  "Condition": {
    "StringEquals": {
      "aws:PrincipalTag/dept": ["legal", "compliance"]
    }
  }
}

A user from the marketing department who somehow gets to the endpoint still cannot invoke the model — the IAM policy denies based on the session tag baked in from Cognito at login.

Why this beats network-only isolation

  • A leaked VPN credential no longer means free access to every model. The attacker also needs an employee identity with the right group.
  • Per-model attribution is automatic. CloudTrail records the assumed role, the session tags, and the source identity.
  • Offboarding is one Cognito group removal — not a sweep across IAM users and KMS grants.

The pieces to wire

  1. Cognito User Pool federated to your IdP (Okta, Entra, Workspace).
  2. Group-to-role mapping in the Identity Pool so each group resolves to a distinct IAM role.
  3. Session-tag mappings on the role trust policy that pull from Cognito attributes (dept, clearance, region).
  4. Bedrock IAM policies that reference aws:PrincipalTag for fine-grained model access.
  5. CloudTrail data events on Bedrock, partitioned by userIdentity.sessionContext.sessionIssuer.

That's the entire stack. The auditor question "show me every Claude invocation by your legal team last month" becomes one Athena query against the CloudTrail data lake.

Sovereign AI isn't just "the model runs in your account." It's "every byte of inference is attributable to a named human, enforced by identity, logged immutably." Identity is the perimeter. Build it that way from day one.

Further reading: Cognito Identity Pools.

More in Platform Engineering

Platform Engineering·2 min read

Supply Chain Security in GitHub Actions: Stopping the Next SolarWinds

#GitHubActions#Security
Platform Engineering·1 min read

Your IDP is Actually a Compliance Engine

#IDP#Backstage