Amazon Cognito Features

Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in. You can use Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps.

You can add an additional layer of security for your customers by enabling MFA in an Amazon Cognito user pool. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator. Amazon Cognito also supports the configuration of different password rules on different pools of users.

As a federation hub, Amazon Cognito enables users to login via social identity providers, such as Apple, Facebook, Google, and Amazon and enterprise identity providers via SAML and OIDC. Amazon Cognito is a standards-based identity provider. Once your users are logged into Amazon Cognito (via local authentication or external federation), they can use OAuth/OIDC to access federated resources.

Amazon Cognito user pools allow you to build a custom authentication flow that uses Lambda functions to authenticate users based on one or more challenge-response cycles. You can use this flow to implement passwordless authentication that is based on custom challenges or use custom challenges as additional factors.

Use lambda triggers to customize Cognito behavior, including user lifecycle stages like before and after authentication and sign-up or before token issuance. You can also use lambda triggers to customize messages that are sent to users in different stages or to integrate with third party email and SMS providers.

Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.

The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, Lambda serverless components, and other Amazon services. Users can be dynamically mapped to different roles to support least privilege access to a service.

Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication, ensuring a secure experience between application components.

Use a data-driven approach to drive customer acquisition and retention. Launch customer outreach campaigns and track the engagement with Amazon Pinpoint. Amazon Pinpoint provides analytics for Amazon Cognito-based user activities and Amazon Cognito enriches user data for Pinpoint campaigns.

AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend with Amazon Cognito, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.

CIAM solutions are custom solutions. Amazon Cognito provides a robust set of hooks and extensions to fully customize the authentication, registration, and user migration flows. For example, the self-registration flow can be augmented with custom identity proofing and account verification checks and the login process can be extended to create custom authentication flows or modify a token before it is generated.

The Amazon Cognito SDK is available using Java, C++, PHP, Python, Golang, Ruby, .NET, and JavaScript.

With a native integration with Amazon Web Application Firewall (AWS WAF), Amazon Cognito offers advanced bot detection features that can help to save your organization from paying for automated accounts.

Amazon Cognito can detect and prevent, in real time, the reuse of compromised credentials as users sign-up, sign-in, or change their password. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Protect your user’s accounts and enhance their sign-in experience with adaptive authentication. When Amazon Cognito detects unusual sign-in activity, such as attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.

Amazon Cognito aligns with multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.

Amazon Cognito supports monitoring with AWS CloudTrail, Amazon CloudWatch Metrics, and Amazon CloudWatch Logs Insights. With CloudTrail you can capture API calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. With CloudWatch metrics you can monitor, report, and take automatic actions in case of an event in near real time. With CloudWatch Logs Insights, you can configure CloudTrail to send events to CloudWatch for monitoring Amazon Cognito CloudTrail log files.