Identity Management

Self registration
A customer’s first experience with your site is often through the self-registration process. Amazon Cognito provides both a customizable, pre-packaged, hosted user interface to rapidly get to market and a robust set of APIs to build a fully custom self-registration solution.

Users can sign-up using an email, phone number, or username for your application. The self- registration process enables users to view and update their profile data, including custom attributes. Reduce help desk calls with self-service options, such as password reset with an SMS message or email.

Identity store (Amazon Cognito user pools)
Amazon Cognito provides a secure identity store (user pools) that scales to millions of users. User pools securely store user profile data for users who sign-up directly and for federated users who sign-in with external identity providers.

The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process

Migration options

Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. Then batch user migration leverages a CSV file import process. Using the JIT migration process, a Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.

User Authentication

Flexible Authentication

Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in. You can use Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps.

Protect your user’s accounts and enhance their sign-in experience with adaptive authentication and Amazon Cognito’s advanced security features. When Amazon Cognito detects unusual sign-in activity, such as attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator.

Amazon Cognito supports the configuration of different password rules on different pools of users. In addition, Amazon Cognito can detect and prevent, in real time, the reuse of compromised credentials as users sign-up, sign-in, or change their password. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Federation

As a federation hub, Amazon Cognito enables users to login via social identity providers, such as Apple, Facebook, Google, and Amazon and enterprise identity providers via SAML and OIDC. Amazon Cognito is a standards-based identity provider. Once your users are logged into Amazon Cognito (via local authentication or external federation), they can use OAuth/OIDC to access federated resources.

Access Control

Last mile integration with applications

Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.

Access AWS resources

The credential broker for Amazon Cognito , also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, AWS Lambda serverless components, and other Amazon services. Users can be dynamically mapped to different roles to support least privilege access to a service.

Machine-to-machine authentication

Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine
authentication, ensuring a secure experience between application components.

Customer Experience

Customer outreach

Use a data-driven approach to drive customer acquisition and retention. Launch customer outreach campaigns and track the engagement with Amazon Pinpoint. Amazon Pinpoint provides analytics for Amazon Cognito-based user activities and Amazon Cognito enriches user data for Pinpoint campaigns.

Business agility amplified

AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend with Amazon Cognito, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.

Extensibility

CIAM solutions are custom solutions. Amazon Cognito provides a robust set of hooks and extensions to fully customize the authentication, registration, and user migration flows. For example, the self-registration flow can be augmented with custom identity proofing and account verification checks and the login process can be extended to create custom authentication flows or modify a token before it is generated.

The Amazon Cognito SDK is available using Java, C++, PHP, Python, Golang, Ruby, .NET, and JavaScript.

Security

Bot detection

In a collaboration with the Amazon Web Application Firewall (WAF), Amazon Cognito offers advanced bot detection features that can help to save your organization from paying for automated accounts.

Compliance

Amazon Cognito aligns with multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.

Learn more about product pricing

See pricing details and calculate your costs.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with Amazon Cognito in the AWS Management Console.

Sign in