AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    Amazon Cognito

    User authentication and access control for web and mobile apps

    Cognito is like a bouncer and membership system for your app. Instead of building your own user registration, login, and password reset system (complex and risky), Cognito handles it all. Users can sign up with email/password, or use social logins (Google, Facebook, Apple). Cognito manages user profiles, handles password resets, sends verification emails, and even supports multi-factor authentication. It's like having a complete identity management system in a box. For mobile apps, Cognito provides temporary AWS credentials so users can access resources (upload photos to S3) without embedding AWS keys in your app.

    Cognito has two main components: User Pools (user directory with authentication) and Identity Pools (provide AWS credentials). User Pools handle sign-up, sign-in, MFA, password policies, and user attributes. They support OAuth 2.0, SAML, and social identity providers. Identity Pools provide temporary AWS credentials (via STS) to authenticated users, allowing direct access to AWS services.

    Key Capabilities

    • User Pools provide a managed user directory with sign-up, sign-in, MFA, password policies, account verification, and social/SAML/OIDC federation; authentication returns JWTs
    • Identity Pools (Federated Identities) exchange a User Pool JWT or third-party identity provider token for temporary AWS credentials via STS, allowing users to call AWS services directly
    • Hosted UI supplies pre-built, customizable sign-in and sign-up pages so you can add auth without building UI from scratch
    • Lambda triggers hook into the auth flow at pre/post authentication, pre sign-up, token generation, and user migration stages for custom logic
    • Adaptive authentication assesses sign-in risk and can require MFA or block requests based on anomalous behavior patterns
    • Advanced security features include compromised credential detection, which flags sign-ins using credentials found in known data breaches

    Gotchas & Constraints

    Gotcha #1: User Pools and Identity Pools are separate; you often use both together (User Pool for authentication, Identity Pool for AWS access). Gotcha #2: Cognito has rate limits that vary by API operation (some as low as 25 RPS by default); implement exponential backoff for high-traffic apps. Constraints: Maximum 40 million users per User Pool, user attributes can't be deleted (only marked as not required), and custom attributes can't be renamed.

    A mobile photo-sharing app needs user authentication and S3 access for photo uploads. Building a custom auth system would take months. They use Cognito User Pools for authentication: users sign up with email/password or Google/Facebook. Cognito handles email verification, password resets, and MFA. For S3 access, they use Cognito Identity Pools, where authenticated users get temporary AWS credentials with permissions to upload to their own S3 prefix (user-id/*). They implement Lambda triggers for custom logic: send welcome emails on sign-up, log user activity to DynamoDB, and block suspicious logins. For web app, they use Cognito's hosted UI for login pages (no custom UI needed). They enable advanced security features; Cognito detects compromised credentials and forces password resets. During a traffic spike (100,000 new users in one day), Cognito scales automatically without configuration.

    The Result

    production-ready authentication in 2 weeks, secure S3 access, and zero infrastructure management.

    Official AWS Documentation