MFA & passkeys
Advanced Security
Security spans the login flow, the platform edge, and the data layer. This chapter covers the controls beyond basic realm setup.
Authentication hardening
Section titled “Authentication hardening”Step-up authentication
Adaptive auth
Brute-force defense
STS token-broker
Section titled “STS token-broker”The STS token-broker exchanges a Keycloak-issued token for short-lived cloud credentials
(AssumeRoleWithWebIdentity), so applications and workloads get scoped, expiring access to AWS
(and other) resources without long-lived keys. It’s implemented as a control-plane service over
the Admin/OIDC surfaces — the Cognito Identity Pools equivalent, on open Keycloak.
Edge & network protection
Section titled “Edge & network protection”- CloudFront + WAF/Shield in front of every cell — TLS termination, managed rule sets, rate limiting, and DDoS protection at the edge.
- Private data tier — Aurora and caches are not publicly reachable; access is via the app tier inside the VPC.
- Tenant isolation — pooled tenants get realm-level isolation (own keys, users, clients); regulated tenants get a dedicated silo (own Keycloak + DB) for the strongest boundary.
Secrets, keys & rotation
Section titled “Secrets, keys & rotation”Secrets management
Realm signing keys
Encryption
Auditability
Section titled “Auditability”Every admin change and auth event flows through the analytics pipeline into an immutable event history — the basis for access reviews and audit evidence.
Compliance posture (honest)
Section titled “Compliance posture (honest)”Data residency
Section titled “Data residency”Region pinning keeps a tenant’s data in a chosen region to meet residency requirements; the cross-cloud standby option extends this to a second cloud for sovereignty.