Cognito

Amazon Cognito

Amazon Cognito
~ Last updated on : ~ jayendrapatil ~ 1 Comment

Amazon Cognito

  • Amazon Cognito provides authentication, authorization, and user management for web and mobile apps, AI agents, and microservices.
  • Amazon Cognito processes more than 100 billion authentications per month, providing comprehensive identity and access management for both human users and machine identities.
  • Users can sign in directly with a username and password, through passwordless methods (passkeys, email OTP, SMS OTP), or through a third party such as Facebook, Amazon, Google, or Apple.
  • Cognito has two main components:
    • User pools are user directories that provide sign-up and sign-in options for the app users.
    • Identity pools enable you to grant the users access to other AWS services.
  • Cognito is tightly integrated with Amazon Bedrock AgentCore Identity, serving as a trusted identity provider to enable secure agent access to AWS and third-party resources.

Amazon Cognito

Cognito User Pool Feature Tiers

  • Amazon Cognito offers three feature tiers for user pools (introduced Nov 2024): Lite, Essentials, and Plus.
  • The default plan for new user pools is Essentials.
  • Lite
    • Low-cost plan for user pools with lower numbers of monthly active users.
    • Includes basic authentication features, sign-in, and the classic hosted UI.
    • Does not include newer features like access-token customization or passkey authentication.
  • Essentials
    • Includes all Lite features plus the latest authentication capabilities.
    • Supports Managed Login with customizable branding via a no-code visual editor.
    • Supports passwordless authentication (passkeys, email OTP, SMS OTP).
    • Supports email MFA and choice-based sign-in.
    • Supports access token customization at runtime via Lambda triggers.
    • Supports password reuse prevention policies.
  • Plus
    • Includes all Essentials features plus advanced threat protection.
    • Supports risk-based adaptive authentication to detect suspicious sign-ins.
    • Detects compromised credentials and passwords.
    • Generates logs of user activity details and risk evaluations.
    • Allows exporting user authentication event logs to external services for analysis.

Cognito User Pools

  • User pools are for authentication (identity verification).
  • User pools are user directories that provide sign-up and sign-in options for web and mobile app users.
  • User pool helps users sign in to the web or mobile app, or federate through a third-party identity provider (IdP).
  • All user pool members have a directory profile, whether the users sign in directly or through a third party, that can be accessed through an SDK.
  • After successfully authenticating a user, Cognito issues JSON web tokens (JWT) that can be used to secure and authorize access to your own APIs, or exchange for AWS credentials.
  • User pools provide:
    • Sign-up and sign-in services.
    • Managed Login – a fully-managed, hosted sign-in and sign-up experience with a no-code visual editor for branding customization (available in Essentials and Plus tiers).
    • Classic hosted UI for basic login pages (available in all tiers).
    • Social sign-in with Facebook, Google, Apple, or Amazon, and through SAML and OIDC identity providers from the user pool.
    • Passwordless authentication using WebAuthn passkeys (FIDO2), email one-time passwords, or SMS one-time passwords (Essentials and Plus tiers).
    • User directory management and user profiles.
    • Security features such as MFA (SMS, authenticator apps, and email OTP), checks for compromised credentials, account takeover protection, and phone and email verification.
    • Access token customization – use Lambda triggers to add custom claims and scopes to access tokens at runtime (Essentials and Plus tiers).
    • Customized workflows and user migration through Lambda triggers.
    • Machine-to-machine (M2M) authorization using OAuth 2.0 client credentials grants for non-human entities (available in all tiers).
    • Resource binding (RFC 8707) – resource servers can perform audience verification of access tokens for enhanced API protection.
  • Use cases
    • Design sign-up and sign-in webpages for your app.
    • Access and manage user data.
    • Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
    • Use a custom authentication flow for your app.
    • Authenticate AI agents and microservices using M2M authorization.
    • Implement passwordless sign-in with passkeys for phishing-resistant authentication.

Cognito Managed Login

  • Managed Login is a fully-managed, hosted sign-in and sign-up experience introduced in November 2024.
  • Provides a no-code visual editor (branding editor) to customize colors, positioning, backgrounds, images, logos, fonts, and layout.
  • Covers the complete user journey from signup and login to password recovery and multi-factor authentication.
  • Available in Essentials and Plus tiers (replaces the need for the classic hosted UI).
  • Supports all authentication methods including passwordless options.
  • Available in AWS GovCloud (US) Regions (March 2025).

Cognito Identity Pools

  • Identity pools are for authorization (access control).
  • Identity pool helps users obtain temporary AWS credentials to access AWS services.
  • Identity pools support both authenticated and unauthenticated identities.
  • Unauthenticated identities typically belong to guest users.
  • Authenticated identities belong to users who are authenticated by any supported identity provider:
    • Cognito user pools
    • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
    • OpenID Connect (OIDC) providers
    • SAML identity providers
    • Developer authenticated identities
  • Each identity type has a role with policies assigned that determines the AWS services that the role can access.
  • Identity Pools do not store any user profiles.
  • Use cases
    • Give your users access to AWS resources, such as S3 and DynamoDB.
    • Generate temporary AWS credentials for unauthenticated users.

Machine-to-Machine (M2M) Authorization

  • Amazon Cognito supports OAuth 2.0 client credentials grants for machine-to-machine (M2M) authorization.
  • Used for authenticating communication between applications, microservices, APIs, and AI agents without user interaction.
  • Issues short-lived, scoped access tokens instead of static API keys.
  • Supports custom scopes through resource servers to define granular access controls.
  • Supports enhanced context for M2M authorization flows (April 2025), allowing additional contextual information in client credentials requests.
  • Supports client secret rotation with up to two active secrets per app client (February 2026).
  • Supports custom client secrets (bring your own) for new or existing app clients.
  • Integrates with Amazon Bedrock AgentCore Identity for securing AI agent access to resources.

Multi-Region Replication

  • Amazon Cognito supports multi-Region replication (June 2026) for business continuity and disaster recovery.
  • Automatically synchronizes user data, credentials, user pool configurations, and federation setups to a secondary AWS Region in near real-time.
  • Enables uninterrupted authentication during regional failovers without forced password resets.
  • Replication flows in one direction from the primary Region to the secondary Region.
  • Supports customer-managed AWS KMS keys for full control over data encryption at rest.
  • Supports high-throughput performance with tens of millions of users per user pool and thousands of transactions per second (TPS).

Cognito Sync

⚠️ Note: AWS recommends using AWS AppSync instead of Amazon Cognito Sync for new implementations.

AWS AppSync provides similar data synchronization capabilities with additional features including real-time collaboration, multi-user sync, and GraphQL-based APIs.

  • Cognito Sync is an AWS service and client library that makes it possible to sync application-related user data across devices.
  • Cognito Sync can synchronize user profile data across mobile devices and the web without using your own backend.
  • The client libraries cache data locally so that the app can read and write data regardless of device connectivity status.
  • When the device is online, the data can be synchronized.
  • If you set up push sync, other devices can be notified immediately that an update is available.
  • Sync store is a key/value pair store linked to an identity.
  • Migration: New implementations should use AWS AppSync, which provides real-time and offline capabilities with GraphQL-based managed service.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company is building a social media mobile and web app for consumers. They want the application to be available on all desktop and mobile platforms, while being able to maintain user preferences across platforms. How can they implement the authentication to support the requirement?
    1. Use AWS Cognito
    2. Use AWS Glue
    3. Use Web Identity Federation
    4. Use AWS IAM
  2. A Developer needs to create an application that supports Security Assertion Markup Language (SAML) and Facebook authentication. It must also allow access to AWS services, such as Amazon DynamoDB. Which AWS service or feature will meet these requirements with the LEAST amount of additional coding?
    1. AWS AppSync
    2. Amazon Cognito identity pools
    3. Amazon Cognito user pools
    4. Amazon Lambda@Edge
  3. A development team is designing a mobile app that requires multi-factor authentication. Which steps should be taken to achieve this? (Choose two.)
    1. Use Amazon Cognito to create a user pool and create users in the user pool.
    2. Send multi-factor authentication text codes to users with the Amazon SNS Publish API call in the app code.
    3. Enable multi-factor authentication for the Amazon Cognito user pool.
    4. Use AWS IAM to create IAM users.
    5. Enable multi-factor authentication for the users created in AWS IAM.
  4. A Developer is building a mobile application and needs any update to user profile data to be pushed to all devices accessing the specific identity. The Developer does not want to manage a back end to maintain the user profile data. What is the MOST efficient way for the Developer to achieve these requirements using Amazon Cognito?
    1. Use Cognito federated identities.
    2. Use a Cognito user pool.
    3. Use Cognito Sync. (Note: For new implementations, AWS recommends AWS AppSync instead of Cognito Sync)
    4. Use Cognito events.
  5. A company wants to implement phishing-resistant, passwordless authentication for their customer-facing web application. Which Amazon Cognito feature should they use?
    1. SMS-based MFA
    2. WebAuthn passkeys with the Essentials or Plus feature tier
    3. Custom authentication flow with Lambda triggers
    4. Social identity provider federation
  6. A company needs to authenticate communication between its microservices without user interaction, using short-lived tokens instead of static API keys. Which Amazon Cognito feature should they implement?
    1. Cognito User Pool with custom authentication
    2. Cognito Identity Pool with developer authenticated identities
    3. OAuth 2.0 client credentials grant (M2M authorization)
    4. SAML-based federation with an external IdP
  7. A company requires that its authentication system maintains availability during an AWS Regional outage without requiring users to reset their passwords. Which Amazon Cognito feature addresses this requirement?
    1. Cognito Identity Pools with multiple providers
    2. Custom domain with Route 53 failover
    3. Multi-Region replication with a secondary user pool
    4. Lambda triggers with cross-Region DynamoDB Global Tables
  8. An organization wants to implement risk-based adaptive authentication that automatically blocks or challenges suspicious sign-in attempts. Which Amazon Cognito feature tier is required?
    1. Lite
    2. Essentials
    3. Plus
    4. Any tier with advanced security enabled

References

AWS Identity Services Cheat Sheet

~ Last updated on : ~ jayendrapatil

AWS Identity Services Cheat Sheet

AWS Identity and Security Services

IAM – Identity & Access Management

  • securely control access to AWS services and resources
  • helps create and manage user identities and grant permissions for those users to access AWS resources
  • helps create groups for multiple users with similar permissions
  • not appropriate for application authentication
  • is Global and does not need to be migrated to a different region
  • helps define Policies,
    • in JSON format
    • all permissions are implicitly denied by default
    • most restrictive policy wins
  • IAM Role
    • helps grants and delegate access to users and services without the need of creating permanent credentials
    • IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls
    • needs Trust policy to define who and Permission policy to define what the user or service can access
    • used with Security Token Service (STS), a lightweight web service that provides temporary, limited privilege credentials for IAM users or for authenticated federated users
    • IAM role scenarios
      • Service access for e.g. EC2 to access S3 or DynamoDB
      • Cross Account access for users
        • with user within the same account
        • with user within an AWS account owned the same owner
        • with user from a Third Party AWS account with External ID for enhanced security
      • Identity Providers & Federation
        • AssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
        • AssumeRoleWithSAML – Identity Provider using SAML 2.0, where the user can be authenticated using on premises Active Directory, Open Ldap or any SAML 2.0 compliant IdP
        • AssumeRole (recommended) or GetFederationToken – For other Identity Providers, use Identity Broker to authenticate and provide temporary Credentials
  • IAM MFA (Multi-Factor Authentication)
    • AWS supports FIDO2 passkeys, virtual MFA devices (authenticator apps), and hardware MFA tokens
    • SMS MFA has been discontinued – use FIDO2 passkeys or virtual/hardware MFA devices instead
    • AWS enforces MFA for root users across all account types (rolled out 2024-2025)
    • FIDO2 passkeys use public key cryptography for phishing-resistant authentication
    • Up to 8 MFA devices can be registered per IAM user
  • IAM Best Practices
    • Do not use Root account for anything other than billing
    • Create Individual IAM users
    • Use groups to assign permissions to IAM users
    • Grant least privilege
    • Use IAM roles for applications on EC2
    • Delegate using roles instead of sharing credentials
    • Rotate credentials regularly
    • Use Policy conditions for increased granularity
    • Use CloudTrail to keep a history of activity
    • Enforce a strong IAM password policy for IAM users
    • Remove all unused users and credentials
    • Enable MFA for all users, especially root accounts – use FIDO2 passkeys for strongest protection
    • Use IAM Access Analyzer to identify unused access and overly permissive policies
  • Increased IAM Quotas (May 2026)
    • Roles per account: up to 10,000
    • Managed policies per account: up to 10,000
    • Role trust policy size: up to 8,192 characters

IAM Roles Anywhere

  • enables workloads running outside of AWS (on-premises, hybrid, multi-cloud) to access AWS resources using temporary credentials
  • eliminates the need for long-term AWS access keys for external workloads
  • uses X.509 certificates from your Certificate Authority (CA) for authentication
  • integrates with existing enterprise PKI infrastructure
  • key components:
    • Trust Anchor – establishes trust between IAM Roles Anywhere and your CA
    • Profile – specifies the IAM roles and session policies
    • Credential Helper – tool that runs on the workload to obtain temporary credentials
  • supports workloads on-premises, in containers, or in other cloud providers
  • uses the same IAM policies and roles as AWS workloads for consistent access control

IAM Access Analyzer

  • helps identify resources shared with external entities and validate IAM policies
  • provides External Access Analysis – identifies resources accessible from outside your account or organization
  • provides Unused Access Analysis – continuously monitors for:
    • Unused IAM roles
    • Unused access keys for IAM users
    • Unused passwords for IAM users
    • Unused services and actions for active roles/users
  • supports Custom Policy Checks – validates policies before deployment against best practices
  • generates policy recommendations based on access activity (least privilege)
  • integrates with AWS Security Hub for centralized findings
  • zone of trust can be set at account or organization level

AWS Organizations

  • is an account management service that enables consolidating multiple AWS accounts into an organization that can be centrally managed.
  • include consolidated billing and account management capabilities that enable one to better meet the budgetary, security, and compliance needs of your business.
  • As an administrator of an organization, new accounts can be created in an organization and invite existing accounts to join the organization.
  • enables you to
    • Automate AWS account creation and management, and provision resources with AWS CloudFormation Stacksets.
    • Maintain a secure environment with policies and management of AWS security services
    • Govern access to AWS services, resources, and regions
    • Centrally manage policies across multiple AWS accounts
    • Audit your environment for compliance
    • View and manage costs with consolidated billing
    • Configure AWS services across multiple accounts
  • supports Service Control Policies – SCPs
    • offer central control over the maximum available permissions for all of the accounts in your organization, ensuring member accounts stay within the organization’s access control guidelines.
    • are available only in an organization that has all features enabled, and aren’t available if the organization has enabled only the consolidated billing features.
    • are NOT sufficient for granting access to the accounts in the organization.
    • defines a guardrail for what actions accounts within the organization root or OU can do, but IAM policies need to be attached to the users and roles in the organization’s accounts to grant permissions to them.
    • Effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.
    • with an SCP attached to member accounts, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action
    • don’t affect users or roles in the management account. They affect only the member accounts in your organization.
  • supports Resource Control Policies (RCPs)launched Nov 2024
    • a new authorization policy type that sets the maximum available permissions on resources within the organization
    • complement SCPs – SCPs control what principals can do, RCPs control what can be done on resources
    • help centrally restrict external access to AWS resources at scale (establish data perimeters)
    • don’t affect resources in the management account – only affect resources in member accounts
    • work alongside SCPs to provide comprehensive authorization guardrails
    • supported by AWS Control Tower for managed preventive controls
  • supports Declarative Policieslaunched Dec 2024 at re:Invent
    • a new management policy type that declares and enforces desired configuration for AWS services at scale
    • different from SCPs/RCPs – declarative policies enforce service configurations, not just permissions
    • configuration is always maintained even when the service adds new features or APIs
    • simplifies governance by defining durable intent for baseline service configurations

AWS Directory Services

  • gives applications in AWS access to Active Directory services
  • different from SAML + AD, where the access is granted to AWS services through Temporary Credentials
  • AWS Managed Microsoft AD
    • fully managed Microsoft Active Directory powered by Windows Server
    • available in Standard and Enterprise editions
    • supports self-service API-driven edition upgrades (Standard to Enterprise) – Oct 2025
    • supports dual-stack networking (IPv4 and IPv6) – Sep 2025
    • includes Directory Service Data API for built-in object management (users, groups, attributes) – Sep 2024
    • Hybrid Edition (Aug 2025) – extends your existing self-managed AD domain to AWS Managed Microsoft AD
      • automatically handles replication between on-premises AD and AWS
      • preserves existing identity and access infrastructure
      • simplifies migration of AD-dependent workloads to AWS
      • supports extending domains from on-premises, AWS, or multi-cloud
  • Simple AD
    • least expensive but does not support Microsoft AD advanced features
    • provides a Samba 4 Microsoft Active Directory compatible standalone directory service on AWS
    • No single point of Authentication or Authorization, as a separate copy is maintained
    • trust relationships cannot be setup between Simple AD and other Active Directory domains
    • Don’t use it, if the requirement is to leverage access and control through centralized authentication service
  • AD Connector
    • acts just as an hosted proxy service for instances in AWS to connect to on-premises Active Directory
    • enables consistent enforcement of existing security policies, such as password expiration, password history, and account lockouts, whether users are accessing resources on-premises or in the AWS cloud
    • needs VPN connectivity (or Direct Connect)
    • integrates with existing RADIUS-based MFA solutions to enabled multi-factor authentication
    • does not cache data which might lead to latency
  • Read-only Domain Controllers (RODCs)
    • works out as a Read-only Active Directory
    • holds a copy of the Active Directory Domain Service (AD DS) database and respond to authentication requests
    • they cannot be written to and are typically deployed in locations where physical security cannot be guaranteed
    • helps maintain a single point to authentication & authorization controls, however needs to be synced
  • Writable Domain Controllers
    • are expensive to setup
    • operate in a multi-master model; changes can be made on any writable server in the forest, and those changes are replicated to servers throughout the entire forest

AWS IAM Identity Center (formerly AWS Single Sign-On)

  • is the recommended service for managing workforce access to AWS accounts and applications (formerly known as AWS SSO, renamed July 2022)
  • provides centralized SSO access to all AWS accounts and cloud applications
  • helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS-integrated applications as well as custom applications that support SAML 2.0.
  • includes a user portal where end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
  • supports connecting external identity providers (Okta, Microsoft Entra ID, Ping Identity) or using built-in directory
  • Trusted Identity Propagation
    • enables administrators to grant permissions based on user attributes (user ID, group associations) across AWS service boundaries
    • eliminates the need for service-specific identity mapping
    • supports services like Amazon Redshift, Amazon Q Business, Amazon EMR, and more
  • Multi-Region Replication (Feb 2026)
    • replicate identity configurations across multiple AWS Regions
    • provides active access portal endpoints in multiple Regions for improved availability
    • available for organization instances connected to external identity providers
    • currently available in 17 enabled-by-default commercial AWS Regions
  • supports customer managed policies and permission boundaries in permission sets

Amazon Cognito

  • Amazon Cognito provides authentication, authorization, and user management for the web and mobile apps.
  • Users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google, or Apple.
  • Cognito has two main components.
    • User pools are user directories that provide sign-up and sign-in options for the app users.
    • Identity pools enable you to grant the users access to other AWS services.
  • Feature Tiers (Nov 2024) – User pools now offer three tiers:
    • Lite – basic authentication features (existing user pools default to this)
    • Essentials – includes Managed Login, passwordless authentication (passkeys, email, SMS), access token customization, password reuse prevention (new user pools default to this)
    • Plus – adds advanced security features including adaptive authentication, threat protection, and compromised credentials detection
  • Managed Login (Nov 2024) – fully managed, hosted sign-in/sign-up experience with rich branding customization
  • Passwordless Authentication (Nov 2024)
    • supports passkeys (FIDO standards, public key cryptography) for phishing-resistant sign-in
    • supports email and SMS one-time passwords
    • available in the Essentials tier
  • Refresh Token Rotation (Apr 2025) – enables automatic rotation of OAuth 2.0 refresh tokens for improved security
  • Client Secret Management (Feb 2026) – custom client secrets, on-demand rotation, up to two active secrets per app client
  • Multi-Region Replication (2026) – replicate user pools across Regions for business continuity and reduced latency
  • Customer-Managed Keys – full control over data encryption at rest using your own KMS keys
  • Cognito SyncNote: AWS recommends using AWS AppSync instead of Cognito Sync for new implementations. AppSync provides similar data synchronization with additional real-time and offline capabilities.

Amazon Verified Permissions

  • a fully managed, fine-grained authorization service for applications (GA 2023)
  • uses Cedar, an open-source policy language purpose-built for authorization
  • externalizes authorization logic from application code for consistent access control
  • supports both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
  • key components:
    • Policy Store – container for Cedar policies, logically isolated from other stores
    • Policies and Templates – define who can do what on which resources
    • Schema – defines entity types, actions, and their relationships
    • Authorization Requests – real-time evaluation of user access against policies
  • integrates natively with Amazon Cognito for identity context
  • aligns with Zero Trust principles – least privilege and continuous verification
  • supports multi-tenant authorization with multiple identity providers
  • enables security teams to audit and analyze application-level access centrally