Security

Implementing User Authentication with Amazon Cognito - Designing User Pools and Identity Pools

Learn about user authentication with Cognito User Pools, AWS resource access with Identity Pools, and social login integration.

約 3 分で読めます

Overview of Cognito

Cognito is a service that provides authentication, authorization, and user management for web and mobile applications, with the first 50,000 MAU (monthly active users) free. User Pools serve as user directories, managing sign-up, sign-in, and MFA. Identity Pools issue temporary AWS credentials to authenticated users, enabling direct access to AWS resources.

Choosing Between User Pools and Identity Pools

User Pools issue JWT tokens (ID tokens, access tokens, with configurable expiration from 5 minutes to 1 day) that are validated by API Gateway authorizers. Identity Pools receive User Pool tokens and return temporary AWS credentials based on IAM roles. When uploading files to S3 from the frontend, you call the S3 SDK directly using credentials obtained from the Identity Pool. Lambda triggers enable implementing email domain restrictions in Pre Sign-up, sending welcome emails in Post Confirmation, and adding custom claims in Pre Token Generation.

Advanced Authentication Features

Cognito's advanced security features provide adaptive authentication, dynamically determining MFA requirements based on risk level (device, IP address, login history). Logins from familiar devices skip MFA, while access from unknown devices or unusual IPs enforces MFA. Custom authentication flows using Lambda triggers enable implementing CAPTCHA verification and custom MFA. The User Pool hosted UI provides a customizable login page where you can apply your own branding. Token customization allows adding custom claims to ID tokens for use in application-side authorization decisions. To deepen your understanding of Cognito, specialized books on Amazon can also be helpful.

Cognito Pricing

Cognito pricing is based on monthly active users (MAU). The first 10,000 MAU are free, and up to 50,000 MAU costs approximately $0.0055 per MAU. SAML/OIDC federation users cost approximately $0.015 per MAU. Advanced security features (adaptive authentication, compromised credential detection) incur additional charges of approximately $0.050 per MAU. Identity Pool AWS credential issuance is free. With MAU-based billing, registered users who do not log in do not affect costs.

Summary

Cognito is a service that provides user authentication through User Pools and AWS resource access through Identity Pools. It integrates with external IdPs through social login and SAML/OIDC federation, and dynamically applies risk-based MFA through adaptive authentication. With the first 10,000 MAU free, it scales from startups to large-scale applications.

Related Services

Amazon CognitoA service that provides authentication, authorization, and user management for web and mobile applicationsAWS LambdaA serverless compute service that runs code without server managementAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIs

Related Articles

Fine-Grained Authorization with Amazon Verified Permissions - Access Control Using Cedar PoliciesLearn how to externalize authorization logic from application code using the Cedar policy language and implement token-based authorization decisions with Cognito integration.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Implementing User Authentication - Building a Secure Authentication Foundation with CognitoLearn how to design and implement a user authentication foundation using Amazon Cognito, including building authentication flows with user pools, identity pools, and external identity provider federation.Amazon CognitoA fully managed service that adds user authentication and authorization to web and mobile applications, with support for social login and SAML federationDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.SSO and Identity Management - Centralized Authentication with AWS IAM Identity CenterLearn how to implement single sign-on and multi-account access management with AWS IAM Identity Center (formerly AWS SSO). Covers external IdP integration, permission set design, and how it differs from Cognito.