Amazon Cognito Documentation
Self registration
Identity store
Amazon Cognito user pools provide a secure identity store that can be set up without provisioning any infrastructure. User pools store user profile data for users who sign up directly and for federated users who sign-in with social and enterprise identity providers.
The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.
Migration options
Advanced security features
Using advanced security features for Amazon Cognito may help you protect access to user accounts in your applications. These advanced security features provide risk-based adaptive authentication and protection from the use of compromised credentials. When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator.
In addition, when Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.
Federation
Access control for AWS resources
Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.
The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, AWS Lambda serverless components, and other Amazon services. You can dynamically map users to different roles to support least privilege access to a service.
Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication.
Standards-based authentication
Adaptive authentication
Protection from compromised credentials
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.