Amazon Cognito

• Amazon Cognito provides authentication, authorization, and user management for web and mobile apps, AI agents, and microservices.
• Amazon Cognito processes more than 100 billion authentications per month, providing comprehensive identity and access management for both human users and machine identities.
• Users can sign in directly with a username and password, through passwordless methods (passkeys, email OTP, SMS OTP), or through a third party such as Facebook, Amazon, Google, or Apple.
• Cognito has two main components:
  • User pools are user directories that provide sign-up and sign-in options for the app users.
  • Identity pools enable you to grant the users access to other AWS services.
• Cognito is tightly integrated with Amazon Bedrock AgentCore Identity, serving as a trusted identity provider to enable secure agent access to AWS and third-party resources.

Cognito User Pool Feature Tiers

• Amazon Cognito offers three feature tiers for user pools (introduced Nov 2024): Lite, Essentials, and Plus.
• The default plan for new user pools is Essentials.
• Lite
  • Low-cost plan for user pools with lower numbers of monthly active users.
  • Includes basic authentication features, sign-in, and the classic hosted UI.
  • Does not include newer features like access-token customization or passkey authentication.
• Essentials
  • Includes all Lite features plus the latest authentication capabilities.
  • Supports Managed Login with customizable branding via a no-code visual editor.
  • Supports passwordless authentication (passkeys, email OTP, SMS OTP).
  • Supports email MFA and choice-based sign-in.
  • Supports access token customization at runtime via Lambda triggers.
  • Supports password reuse prevention policies.
• Plus
  • Includes all Essentials features plus advanced threat protection.
  • Supports risk-based adaptive authentication to detect suspicious sign-ins.
  • Detects compromised credentials and passwords.
  • Generates logs of user activity details and risk evaluations.
  • Allows exporting user authentication event logs to external services for analysis.

Cognito User Pools

• User pools are for authentication (identity verification).
• User pools are user directories that provide sign-up and sign-in options for web and mobile app users.
• User pool helps users sign in to the web or mobile app, or federate through a third-party identity provider (IdP).
• All user pool members have a directory profile, whether the users sign in directly or through a third party, that can be accessed through an SDK.
• After successfully authenticating a user, Cognito issues JSON web tokens (JWT) that can be used to secure and authorize access to your own APIs, or exchange for AWS credentials.
• User pools provide:
  • Sign-up and sign-in services.
  • Managed Login – a fully-managed, hosted sign-in and sign-up experience with a no-code visual editor for branding customization (available in Essentials and Plus tiers).
  • Classic hosted UI for basic login pages (available in all tiers).
  • Social sign-in with Facebook, Google, Apple, or Amazon, and through SAML and OIDC identity providers from the user pool.
  • Passwordless authentication using WebAuthn passkeys (FIDO2), email one-time passwords, or SMS one-time passwords (Essentials and Plus tiers).
  • User directory management and user profiles.
  • Security features such as MFA (SMS, authenticator apps, and email OTP), checks for compromised credentials, account takeover protection, and phone and email verification.
  • Access token customization – use Lambda triggers to add custom claims and scopes to access tokens at runtime (Essentials and Plus tiers).
  • Customized workflows and user migration through Lambda triggers.
  • Machine-to-machine (M2M) authorization using OAuth 2.0 client credentials grants for non-human entities (available in all tiers).
  • Resource binding (RFC 8707) – resource servers can perform audience verification of access tokens for enhanced API protection.
• Use cases
  • Design sign-up and sign-in webpages for your app.
  • Access and manage user data.
  • Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
  • Use a custom authentication flow for your app.
  • Authenticate AI agents and microservices using M2M authorization.
  • Implement passwordless sign-in with passkeys for phishing-resistant authentication.

Cognito Managed Login

• Managed Login is a fully-managed, hosted sign-in and sign-up experience introduced in November 2024.
• Provides a no-code visual editor (branding editor) to customize colors, positioning, backgrounds, images, logos, fonts, and layout.
• Covers the complete user journey from signup and login to password recovery and multi-factor authentication.
• Available in Essentials and Plus tiers (replaces the need for the classic hosted UI).
• Supports all authentication methods including passwordless options.
• Available in AWS GovCloud (US) Regions (March 2025).

Cognito Identity Pools

• Identity pools are for authorization (access control).
• Identity pool helps users obtain temporary AWS credentials to access AWS services.
• Identity pools support both authenticated and unauthenticated identities.
• Unauthenticated identities typically belong to guest users.
• Authenticated identities belong to users who are authenticated by any supported identity provider:
  • Cognito user pools
  • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
  • OpenID Connect (OIDC) providers
  • SAML identity providers
  • Developer authenticated identities
• Each identity type has a role with policies assigned that determines the AWS services that the role can access.
• Identity Pools do not store any user profiles.
• Use cases
  • Give your users access to AWS resources, such as S3 and DynamoDB.
  • Generate temporary AWS credentials for unauthenticated users.

Machine-to-Machine (M2M) Authorization

• Amazon Cognito supports OAuth 2.0 client credentials grants for machine-to-machine (M2M) authorization.
• Used for authenticating communication between applications, microservices, APIs, and AI agents without user interaction.
• Issues short-lived, scoped access tokens instead of static API keys.
• Supports custom scopes through resource servers to define granular access controls.
• Supports enhanced context for M2M authorization flows (April 2025), allowing additional contextual information in client credentials requests.
• Supports client secret rotation with up to two active secrets per app client (February 2026).
• Supports custom client secrets (bring your own) for new or existing app clients.
• Integrates with Amazon Bedrock AgentCore Identity for securing AI agent access to resources.

Multi-Region Replication

• Amazon Cognito supports multi-Region replication (June 2026) for business continuity and disaster recovery.
• Automatically synchronizes user data, credentials, user pool configurations, and federation setups to a secondary AWS Region in near real-time.
• Enables uninterrupted authentication during regional failovers without forced password resets.
• Replication flows in one direction from the primary Region to the secondary Region.
• Supports customer-managed AWS KMS keys for full control over data encryption at rest.
• Supports high-throughput performance with tens of millions of users per user pool and thousands of transactions per second (TPS).

Cognito Sync

• Cognito Sync is an AWS service and client library that makes it possible to sync application-related user data across devices.
• Cognito Sync can synchronize user profile data across mobile devices and the web without using your own backend.
• The client libraries cache data locally so that the app can read and write data regardless of device connectivity status.
• When the device is online, the data can be synchronized.
• If you set up push sync, other devices can be notified immediately that an update is available.
• Sync store is a key/value pair store linked to an identity.
• Migration: New implementations should use AWS AppSync, which provides real-time and offline capabilities with GraphQL-based managed service.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company is building a social media mobile and web app for consumers. They want the application to be available on all desktop and mobile platforms, while being able to maintain user preferences across platforms. How can they implement the authentication to support the requirement?
   1. Use AWS Cognito
   2. Use AWS Glue
   3. Use Web Identity Federation
   4. Use AWS IAM
2. A Developer needs to create an application that supports Security Assertion Markup Language (SAML) and Facebook authentication. It must also allow access to AWS services, such as Amazon DynamoDB. Which AWS service or feature will meet these requirements with the LEAST amount of additional coding?
   1. AWS AppSync
   2. Amazon Cognito identity pools
   3. Amazon Cognito user pools
   4. Amazon Lambda@Edge
3. A development team is designing a mobile app that requires multi-factor authentication. Which steps should be taken to achieve this? (Choose two.)
   1. Use Amazon Cognito to create a user pool and create users in the user pool.
   2. Send multi-factor authentication text codes to users with the Amazon SNS Publish API call in the app code.
   3. Enable multi-factor authentication for the Amazon Cognito user pool.
   4. Use AWS IAM to create IAM users.
   5. Enable multi-factor authentication for the users created in AWS IAM.
4. A Developer is building a mobile application and needs any update to user profile data to be pushed to all devices accessing the specific identity. The Developer does not want to manage a back end to maintain the user profile data. What is the MOST efficient way for the Developer to achieve these requirements using Amazon Cognito?
   1. Use Cognito federated identities.
   2. Use a Cognito user pool.
   3. Use Cognito Sync. (Note: For new implementations, AWS recommends AWS AppSync instead of Cognito Sync)
   4. Use Cognito events.
5. A company wants to implement phishing-resistant, passwordless authentication for their customer-facing web application. Which Amazon Cognito feature should they use?
   1. SMS-based MFA
   2. WebAuthn passkeys with the Essentials or Plus feature tier
   3. Custom authentication flow with Lambda triggers
   4. Social identity provider federation
6. A company needs to authenticate communication between its microservices without user interaction, using short-lived tokens instead of static API keys. Which Amazon Cognito feature should they implement?
   1. Cognito User Pool with custom authentication
   2. Cognito Identity Pool with developer authenticated identities
   3. OAuth 2.0 client credentials grant (M2M authorization)
   4. SAML-based federation with an external IdP
7. A company requires that its authentication system maintains availability during an AWS Regional outage without requiring users to reset their passwords. Which Amazon Cognito feature addresses this requirement?
   1. Cognito Identity Pools with multiple providers
   2. Custom domain with Route 53 failover
   3. Multi-Region replication with a secondary user pool
   4. Lambda triggers with cross-Region DynamoDB Global Tables
8. An organization wants to implement risk-based adaptive authentication that automatically blocks or challenges suspicious sign-in attempts. Which Amazon Cognito feature tier is required?
   1. Lite
   2. Essentials
   3. Plus
   4. Any tier with advanced security enabled

References

• Amazon Cognito Developer Guide
• Amazon Cognito Product Page
• User Pool Feature Plans
• Improve Authentication with New Cognito Features (Nov 2024)
• Cognito Next-Generation Infrastructure (June 2026)
• Empower AI Agents with Amazon Cognito