Enterprise Cloud Consultancy in The UK and Europe

Amazon Cognito

AWS Identity Authentication and Authorization

Summary of Features

  • Amazon Cognito provides authentication, authorisation and user management for mobile and web applications.
  • Users can login to Cognito directly or via an external identity provider
  • Cognito handles exchange of login credentials for short term AWS credentials using STS (Security Token Service).
  • Handles merging of multiple identities under a single profile (e.g. Facebook, LinkedIn, Bluesky, X, etc)

Cognito User Pool

Cognito user pools are used for authentication – answering the question who is this?

Amazon Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as Oauth 2.0, SAML 2.0, and OpenID Connect. A user pool is a group of Cognito or social identities. After login, a JWT (JSON web token) is returned and it is  this token provides identity to access AWS services.

User pools provide:

  • Sign-up and sign-in services.
  • A built-in, customizable web UI to sign in users.
  • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool.
  • User directory management and user profiles.
  • Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
  • Customized workflows and user migration through AWS Lambda triggers.

Cognito Identity Pool

Cognito identity pools are used for authorization – give permission to access AWS resource

With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:

  • Amazon Cognito user pools
  • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
  • OpenID Connect (OIDC) providers
  • SAML identity providers
  • Developer authenticated identities

Data Synchronization

Amazon Cognito Sync offers services for synchronization of data across multiple user devices.  You can use it to synchronize user profile data across mobile devices and web applications. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.