Amazon Cognito Documentation

Amazon Cognito is designed to let you add user sign-up, sign-in, and access control to your web and mobile apps. Amazon Cognito scales to millions of users and supports sign-in with social identity providers and with enterprise identity providers via SAML and OIDC.

Self registration

Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in, and a set of APIs to build a fully custom self-registration solution.  Users can sign-up using an email, phone number, or username for your application. The self-registration process enables users to view and update their profile data, including custom attributes. Self-service options include password reset with SMS message or email.

Identity store

Amazon Cognito user pools provide a secure identity store that can be set up without provisioning any infrastructure. User pools store user profile data for users who sign up directly and for federated users who sign-in with social and enterprise identity providers.

The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.

Migration options

Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. Then batch user migration leverages a CSV file import process. Using the JIT migration process, a Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.

Advanced security features

Using advanced security features for Amazon Cognito may help you protect access to user accounts in your applications. These advanced security features provide risk-based adaptive authentication and protection from the use of compromised credentials. When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator.

In addition, when Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Federation

Amazon Cognito is designed to enable your users to sign-in through social identity providers and through enterprise identity providers via SAML and OIDC. Amazon Cognito is a standards-based identity provider. Once your users are logged into Amazon Cognito (via local authentication or external federation), they can use OAuth/OIDC to access federated resources.

Access control for AWS resources

Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.

The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, AWS Lambda serverless components, and other Amazon services. You can dynamically map users to different roles to support least privilege access to a service.

Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication.

Standards-based authentication

Amazon Cognito uses common identity management standards.

Adaptive authentication

Using advanced security features for Amazon Cognito to add adaptive authentication to your applications may help protect your applications’ user accounts and user experience. When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator.

Protection from compromised credentials

Advanced security features for Amazon Cognito are designed to help protect your application users from unauthorized access to their accounts using compromised credentials. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.