Amazon Cognito のアイコン

Amazon Cognito Popular2014年〜

A service that provides authentication, authorization, and user management for web and mobile applications

About 3 min read

What It Does

Amazon Cognito is a service that adds user sign-up, sign-in, and access control capabilities to web and mobile applications. User pools manage user registration and authentication, while identity pools grant authenticated users access permissions to AWS resources. It also supports social login with Google, Facebook, Apple, and others, as well as integration with SAML-based enterprise identity providers.

Use Cases

Cognito is used to implement email and password sign-up/sign-in functionality in web applications, and to add social login with Google accounts. It is also used for access control implementations that allow only authenticated users to access S3 buckets or API Gateway endpoints.

Everyday Analogy

Think of it like the entrance gate at a theme park. Visitors (users) either show their annual pass at the gate (sign in as an existing user) or purchase a new ticket (sign up). Once through the gate, the type of ticket determines which areas they can access (authorization). Cognito serves as this entrance gate, managing who can access which resources.

What Is Cognito?

Amazon Cognito is a service that manages authentication (identity verification) and authorization (granting access permissions) for applications. It provides features like user registration, login, password reset, and multi-factor authentication (MFA) without having to build them yourself. It is a fully managed service that scales to millions of users, with security best practices built in.

User Pools and Identity Pools

Cognito has two main components. User pools are user directories that manage user registration and authentication. They provide sign-up, sign-in, password reset, and MFA features, issuing JWT tokens upon successful authentication. Identity pools grant authenticated users temporary AWS credentials, enabling direct access to AWS resources like S3 and DynamoDB.

Social Login and Enterprise Identity Federation

Cognito supports federation with external identity providers. By configuring social identity providers such as Google, Facebook, Apple, and Amazon, users can sign in with their existing accounts. For enterprises, it supports SAML 2.0 and OpenID Connect (OIDC), enabling SSO (Single Sign-On) with enterprise identity providers like Active Directory and Okta. For practical know-how on social login and enterprise identity federation, specialized books on Amazon are also a great resource.

Getting Started

To get started with Cognito, create a user pool in the Cognito console. Configure sign-in methods (email, phone number, username) and password policies, then create an app client. For frontend applications, using the Amplify library lets you integrate sign-up and sign-in UI with just a few lines of code. The free tier includes up to 50,000 monthly active users at no charge.

Things to Watch Out For

  • Some user pool settings (sign-in attributes, MFA types, etc.) cannot be changed after creation. Thoroughly review your requirements before creating one
  • The free tier covers up to 50,000 MAU (monthly active users). Social login and SAML federation users have a separate pricing structure
  • JWT token expiration defaults to 1 hour. Implement token refresh logic on the application side
共有するXB!

Related Services

Amazon API Gateway iconAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIsAWS Lambda iconAWS LambdaA serverless compute service that runs code without server managementAWS Amplify iconAWS AmplifyA service that provides full-stack web and mobile application development and hostingAWS IAM iconAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

Getting Started with Full-Stack Web App Development on AWS Amplify - Git-Connected Deploys and Backend SetupSet up automatic per-branch deployment environments with GitHub integration, and define authentication, APIs, and storage in TypeScript using Backend Gen 2. Also supports Next.js SSR.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Building Real-Time GraphQL APIs with AWS AppSync - Subscriptions and Resolver DesignImplement real-time notifications with WebSocket-based subscriptions and integrate multiple data sources using DynamoDB and Lambda pipeline resolvers.Unifying Microservice GraphQL with AWS AppSync Merged API - Distributed Team Development in PracticeMerge GraphQL APIs developed and deployed independently by multiple teams into a single endpoint. Learn strategies for avoiding schema conflicts and designing authentication.Implementing User Authentication with Amazon Cognito - Designing User Pools and Identity PoolsLearn about user authentication with Cognito User Pools, AWS resource access with Identity Pools, and social login integration.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWSAWS Firewall Manager iconAWS Firewall Manager SpecializedA service for centrally managing firewall rules across your entire AWS Organization

Similar Articles and Services

Amazon CognitoA fully managed service that adds user authentication and authorization to web and mobile applications, with support for social login and SAML federationImplementing User Authentication - Building a Secure Authentication Foundation with CognitoLearn how to design and implement a user authentication foundation using Amazon Cognito, including building authentication flows with user pools, identity pools, and external identity provider federation.Implementing User Authentication with Amazon Cognito - Designing User Pools and Identity PoolsLearn about user authentication with Cognito User Pools, AWS resource access with Identity Pools, and social login integration.SSO and Identity Management - Centralized Authentication with AWS IAM Identity CenterLearn how to implement single sign-on and multi-account access management with AWS IAM Identity Center (formerly AWS SSO). Covers external IdP integration, permission set design, and how it differs from Cognito.Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.