Amazon Cognito
A fully managed service that adds user authentication and authorization to web and mobile applications, with support for social login and SAML federation
Overview
Amazon Cognito is a fully managed service for adding sign-up, sign-in, and access control capabilities to your applications. User pools function as a user directory, supporting email/password authentication, MFA, password policies, and custom authentication flows. It also supports federation with social identity providers such as Google, Facebook, Apple, and Amazon, as well as enterprise identity providers via SAML 2.0 and OpenID Connect. Identity pools grant authenticated users temporary AWS credentials, enabling direct access to AWS resources like S3 and DynamoDB. With a free tier of up to 50,000 monthly active users (MAU), small applications can use Cognito at virtually no cost.
Role Separation Between User Pools and Identity Pools
Cognito has two main components - User Pools and Identity Pools - each serving a distinct role. User Pools handle authentication, providing user registration, sign-in, password reset, MFA, and email/SMS verification. Upon successful authentication, a JWT (JSON Web Token) is issued, which can be used for request authentication with API Gateway or ALB. Identity Pools handle authorization, granting authenticated users from User Pools or external identity providers temporary AWS credentials based on IAM roles. This enables frontend applications to upload directly to S3 buckets or access DynamoDB tables without routing through a backend API. Combining both components provides end-to-end management from authentication through to AWS resource access control. While Azure AD B2C offers similar consumer-facing authentication as a single unified service, Cognito's two-component architecture provides clearer separation of concerns and more granular control over the authorization layer.
Customizing Authentication Flows with Lambda Triggers
Lambda triggers let you customize each stage of the Cognito authentication flow without modifying the core service. Pre-sign-up triggers can validate user attributes, enforce domain restrictions, or auto-confirm users from trusted sources. Post-confirmation triggers can initialize user profiles in DynamoDB or send welcome emails via SES. Pre-token-generation triggers can add custom claims to JWTs, embedding role information or feature flags directly in the token. Custom authentication challenge triggers enable entirely custom authentication flows such as CAPTCHA verification or passwordless login via magic links. Combining social login (Google, Apple, Facebook) with SAML/OIDC federation provides users with multiple sign-in options while maintaining a unified user profile in the User Pool. Specialized books on Amazon can be useful for expanding your knowledge of authentication design.
Security Features and Fraud Prevention
Cognito's Advanced Security Features provide multiple layers of protection against unauthorized access. Risk-based adaptive authentication evaluates each sign-in attempt based on factors like device fingerprint, IP address, and geographic location, automatically stepping up to MFA or blocking the attempt when risk is elevated. Compromised credential detection checks user passwords against databases of known breached credentials and can block sign-in or force a password reset when a match is found. The built-in account takeover protection detects patterns consistent with credential stuffing and brute force attacks. On the configuration side, password policies can enforce minimum length, character requirements, and password history. MFA supports both TOTP (authenticator apps) and SMS, with the option to make MFA required or optional per user. For pricing, Cognito is free up to 50,000 MAU, then $0.0055 per MAU beyond that - roughly one-third the per-unit cost of comparable services like Azure AD B2C's Premium tier at $0.01625 per MAU.