Amazon Cognito

Amazon Cognito User Pools

A User Pool is a user directory in Amazon Cognito. It allows users to sign in to your application either directly through the User Pool or through federation with external identity providers (IdPs).

Key Features of User Pools

User Directory: Provides a fully managed, secure user directory.
Authentication: Handles the user authentication process, including sign-up, sign-in, and password management.
Federation: Integrates with social IdPs (like Google, Facebook, Apple) and enterprise IdPs via SAML 2.0 and OpenID Connect (OIDC).
User Profiles & Management: Each user has a profile in the directory that you can access and manage via the AWS SDK. Users can be created by self-registration, admin creation, or bulk import.
Customizable UI: Offers a customizable, hosted UI for sign-up and sign-in flows.
Regional Storage: User profile data is stored within a single AWS Region where the User Pool is created.
Sign-in Aliases: Allows users to sign up and sign in using an email address, phone number, or a preferred username.
User Pool Groups: Lets you group users to manage permissions and map different IAM roles to different groups.

User Pool Tokens

After a successful authentication, Amazon Cognito User Pools issue JSON Web Tokens (JWTs).

ID Token: Contains user profile claims like username, email, etc. It is used to identify the authenticated user within your application.
Access Token: Contains scopes and groups. It is used to grant access to protected resources, such as your own APIs or an Amazon API Gateway. Expiration can be set from 5 minutes to 24 hours.
Refresh Token: Used to retrieve a new ID token and/or access token without requiring the user to sign in again. Expiration can be set from 1 hour to 10 years.

Amazon Cognito Identity Pools (Federated Identities)

An Identity Pool's primary purpose is to provide temporary, limited-privilege AWS credentials to users, enabling them to access AWS resources directly.

How Identity Pools Work

A user signs in through an identity provider (which can be a Cognito User Pool, a social IdP like Facebook, or a SAML IdP).
The application receives an ID token from the IdP after successful authentication.
The application exchanges this token with the Cognito Identity Pool for temporary AWS credentials.
The application uses these credentials to access authorized AWS services like Amazon S3, DynamoDB, or AWS AppSync on behalf of the user.

Identity Pools also support authentication for anonymous guest users, providing them with a unique identity and temporary credentials.

Amazon Cognito Sync

Cognito Sync is a service and client library that enables cross-device syncing of application-related user data.

Functionality: It synchronizes user profile data, stored as key-value pairs, across all of a user's logged-in devices.
Storage: Data is stored in a Sync Store linked to a Cognito Identity.
Limits:
- Maximum store size per identity: 20MB
- Maximum dataset size: 1MB
- Maximum number of keys per dataset: 1024
Offline Access: Data is cached locally on devices so the app can work even when the device is offline.
Programmatic Sync: The synchronize() method in the AWS Mobile SDK is used to trigger the sync process between the local cache and the remote Cognito Sync Store.

Key Features & Integrations

Advanced Security Features

Adaptive Authentication: Detects unusual sign-in activity (e.g., from new devices or locations), assigns a risk score, and can prompt for additional verification or block the sign-in.
Multi-Factor Authentication (MFA): Enhances security by requiring a second verification factor. Supports SMS text messages and Time-based One-Time Passwords (TOTP) from authenticator apps.
Compromised Credential Protection: Monitors for and alerts users if their credentials have been compromised in known data breaches, prompting them to change their password.

AWS Lambda Triggers

You can use AWS Lambda functions to customize Cognito workflows at various stages of the user lifecycle.

Common Triggers: Pre Sign-up, Post Confirmation, Pre Authentication, Post Authentication, Custom Message, etc.
Invocation Type: Cognito invokes Lambda functions synchronously.
Timeout: The Lambda function must respond within 5 seconds. Cognito will retry a failed call up to 3 times before the operation times out.

Cognito Streams

You can configure Cognito to push data from the Sync Store to an Amazon Kinesis stream. This allows you to process and analyze user data in real-time.

AWS Amplify

Amazon Cognito is a core component of the AWS Amplify framework, making it simple to add authentication and user management to modern web and mobile applications.

User Pools vs. Identity Pools

A common point of confusion is the difference between User Pools and Identity Pools.

| Feature | Amazon Cognito User Pools | Amazon Cognito Identity Pools |

| :--- | :--- | :--- |

| Primary Purpose | Authentication ("Who are you?") | Authorization ("What can you do?") |

| Functionality | User directory for sign-up and sign-in. | Provides temporary AWS credentials to access AWS services. |

| Output | Returns JSON Web Tokens (JWTs) after a successful login. | Returns temporary AWS credentials (access key, secret key, session token). |

| Users | Manages a directory of registered users. | Provides a unique identity for authenticated or anonymous users. |

| Typical Use Case | "I need a login page for my app." | "I need my app's users to upload files to a specific S3 bucket." |

Amazon Cognito Pricing

User Pools: Pricing is based on your Monthly Active Users (MAUs). A user is counted as an MAU if there is an identity operation (e.g., sign-in, sign-up, token refresh) related to them within a calendar month.
- Free Tier: Includes the first 50,000 MAUs for users signing in directly to the User Pool and the first 50 MAUs for users federated from external SAML/OIDC IdPs.
Cognito Sync: Pricing is based on the total amount of data stored in the sync store and the number of data synchronization operations performed.

Amazon Cognito

📚 Recommended AWS Resources