AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    Amazon Cognito

    User authentication and access control for web and mobile apps

    Cognito is like a bouncer and membership system for your app. Instead of building your own user registration, login, and password reset system (complex and risky), Cognito handles it all. Users can sign up with email/password, or use social logins (Google, Facebook, Apple). Cognito manages user profiles, handles password resets, sends verification emails, and even supports multi-factor authentication. It's like having a complete identity management system in a box. For mobile apps, Cognito provides temporary AWS credentials so users can access resources (upload photos to S3) without embedding AWS keys in your app.

    Cognito has two main components: User Pools (user directory with authentication) and Identity Pools (provide AWS credentials). User Pools handle sign-up, sign-in, MFA, password policies, and user attributes. They support OAuth 2.0, SAML, and social identity providers. Identity Pools provide temporary AWS credentials (via STS) to authenticated users, allowing direct access to AWS services.

    Key Capabilities

    Key features: adaptive authentication (risk-based MFA), advanced security (compromised credential detection), custom authentication flows (Lambda triggers), and hosted UI (pre-built login pages).

    Gotchas & Constraints

    Gotcha #1: User Pools and Identity Pools are separate; you often use both together (User Pool for authentication, Identity Pool for AWS access). Gotcha #2: Cognito has rate limits that vary by API operation (some as low as 25 RPS by default); implement exponential backoff for high-traffic apps. Constraints: Maximum 40 million users per User Pool, user attributes can't be deleted (only marked as not required), and custom attributes can't be renamed.

    A mobile photo-sharing app needs user authentication and S3 access for photo uploads. Building a custom auth system would take months. They use Cognito User Pools for authentication: users sign up with email/password or Google/Facebook. Cognito handles email verification, password resets, and MFA. For S3 access, they use Cognito Identity Pools, where authenticated users get temporary AWS credentials with permissions to upload to their own S3 prefix (user-id/*). They implement Lambda triggers for custom logic: send welcome emails on sign-up, log user activity to DynamoDB, and block suspicious logins. For web app, they use Cognito's hosted UI for login pages (no custom UI needed). They enable advanced security features; Cognito detects compromised credentials and forces password resets. During a traffic spike (100,000 new users in one day), Cognito scales automatically without configuration.

    The Result

    production-ready authentication in 2 weeks, secure S3 access, and zero infrastructure management.

    Official AWS Documentation