Amazon Cognito Features
Identity Management
Self-registration
A customer’s first experience with your site is often through the self-registration process. Amazon Cognito provides both a customizable, pre-packaged, hosted user interface to rapidly get to market and a robust set of APIs to build a fully custom self-registration solution. Users can sign-up using an email, phone number, or username for your application. The self-registration process enables users to view and update their profile data, including custom attributes. Reduce help desk calls with self-service options, such as password reset with an SMS message or email.
Identity store (Amazon Cognito user pools)
Amazon Cognito provides a secure identity store (user pools) that scales to millions of users. User pools securely store user profile data for users who sign-up directly and for federated users who sign-in with external identity providers.
The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.
Migration options
Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. The batch user migration leverages a CSV file import process. Using the JIT migration process, an AWS Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.
Multi-tenancy and tenant isolation
Amazon Cognito enables B2B interactions with multi-tenant support. You can choose to reuse application integrations, access and password policies, or enforce complete tenant isolation.
User Authentication
Customizable UI
Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in. You can use Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps.
Multi-factor authentication (MFA)
You can add an additional layer of security for your customers by enabling MFA in an Amazon Cognito user pool. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator. Amazon Cognito also supports the configuration of different password rules on different pools of users.
Federation
As a federation hub, Amazon Cognito enables users to login via social identity providers, such as Apple, Facebook, Google, and Amazon and enterprise identity providers via SAML and OIDC. Amazon Cognito is a standards-based identity provider. Once your users are logged into Amazon Cognito (via local authentication or external federation), they can use OAuth/OIDC to access federated resources.
Custom Authentication
Amazon Cognito user pools allow you to build a custom authentication flow that uses Lambda functions to authenticate users based on one or more challenge-response cycles. You can use this flow to implement passwordless authentication that is based on custom challenges or use custom challenges as additional factors.
Customizing user pool workflows with Lambda triggers
Use lambda triggers to customize Cognito behavior, including user lifecycle stages like before and after authentication and sign-up or before token issuance. You can also use lambda triggers to customize messages that are sent to users in different stages or to integrate with third party email and SMS providers.
Access Control
Last mile integration with applications
Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.
Access AWS resources
The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, Lambda serverless components, and other Amazon services. Users can be dynamically mapped to different roles to support least privilege access to a service.
Machine-to-machine authentication
Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication, ensuring a secure experience between application components.
Customer Experience
Customer outreach
Use a data-driven approach to drive customer acquisition and retention. Launch customer outreach campaigns and track the engagement with Amazon Pinpoint. Amazon Pinpoint provides analytics for Amazon Cognito-based user activities and Amazon Cognito enriches user data for Pinpoint campaigns.
Business agility amplified
AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend with Amazon Cognito, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.
Extensibility
CIAM solutions are custom solutions. Amazon Cognito provides a robust set of hooks and extensions to fully customize the authentication, registration, and user migration flows. For example, the self-registration flow can be augmented with custom identity proofing and account verification checks and the login process can be extended to create custom authentication flows or modify a token before it is generated.
The Amazon Cognito SDK is available using Java, C++, PHP, Python, Golang, Ruby, .NET, and JavaScript.
Advanced Security
Protection from web vulnerabilities using AWS WAF
With a native integration with Amazon Web Application Firewall (AWS WAF), Amazon Cognito offers advanced bot detection features that can help to save your organization from paying for automated accounts.
Compromised credential protection
Amazon Cognito can detect and prevent, in real time, the reuse of compromised credentials as users sign-up, sign-in, or change their password. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.
Risk-based adaptive authentication
Protect your user’s accounts and enhance their sign-in experience with adaptive authentication. When Amazon Cognito detects unusual sign-in activity, such as attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.
Auditing and Compliance
Compliance
Amazon Cognito aligns with multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.
Logging and monitoring
Amazon Cognito supports monitoring with AWS CloudTrail, Amazon CloudWatch Metrics, and Amazon CloudWatch Logs Insights. With CloudTrail you can capture API calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. With CloudWatch metrics you can monitor, report, and take automatic actions in case of an event in near real time. With CloudWatch Logs Insights, you can configure CloudTrail to send events to CloudWatch for monitoring Amazon Cognito CloudTrail log files.

Get started building with Amazon Cognito in the AWS Management Console.