Skip to main content

Amazon Cognito Documentation

Amazon Cognito is designed to let you add user sign-up, sign-in, and access control to your web and mobile apps.

User authentication

Branded Managed Login

Developers can use a visual editor to adjust how the end user screens (such as signup, login and MFA) appear. Configuration parameters include colors, positioning, alignment, text, language, backgrounds, images, logos, fonts, and layout, among others.

Passwordless Authentication

Amazon Cognito helps allow end users to access applications without needing to remember a password.

WebAuthn passkeys

WebAuthn passkeys offer authentication methods such as biometrics or hardware tokens. Additionally, passkeys leverage public key cryptography, designed so that sensitive information is not transmitted or stored on servers.

Multi-factor authentication (MFA)

Users can verify their identities using email, SMS, or a Time-based One-time Password (TOTP) generator. Amazon Cognito also supports the configuration of different password rules on different pools of users.

Custom Authentication

Amazon Cognito enables you to build custom authentication flows that use AWS Lambda functions to help authenticate users based on one or more challenge-response cycles. You can use this flow to implement bespoke authentication schemes that are based on custom challenges or use custom challenges as additional factors.

Customizing user workflows with Lambda triggers

Use AWS Lambda triggers to help customize Cognito behavior, including user lifecycle stages like before and after authentication and sign-up or before token issuance. You can also use Lambda triggers to help customize messages that are sent to users in different stages or to integrate with third party email and SMS providers.

Self registration

Amazon Cognito provides a built-in and customizable UI for user sign-up and sign-in, and a set of APIs to build a custom self-registration solution.  The self-registration process enables users to view and update their profile data, including custom attributes. Self-service options include password reset with SMS message or email.

Tenant-based Identity stores (user pools)

Amazon Cognito user pools provide an identity store that are designed to be set up without provisioning any infrastructure. User pools store user profile data for users who sign up directly and for federated users who sign-in with social and enterprise identity providers.

The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of many custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.

Migration options

Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. Using the JIT migration process, a Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.

Multi-tenancy and tenant isolation

Amazon Cognito enables B2B interactions with multi-tenant support. You can choose to reuse application integrations, access and password policies, or enforce complete tenant isolation.

Access Control

Last mile integration with applications

Amazon Cognito helps secure the last mile of integration with an application. AWS AppSync, Amazon Application Load Balancers (ALBs), and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.

Fine-grained authorization

Amazon Verified Permissions quick start helps enable customers to auto-generate permissions policies, assign role-based access control based on Cognito group memberships, and enforce fine-grained authorization. Amazon Verified Permissions has a token authorizer that supports Amazon Cognito ID and access tokens, including complex token-in-a-token constructs.

Access AWS resources

Amazon Cognito identity pools helps provide single sign-on access to AWS resources. Users can be dynamically mapped to different roles to support least privilege access to a service.

Machine-to-machine authentication

Using the OAuth Client Credential Flow, Amazon Cognito helps provide machine-to-machine authentication.

ID / Access token customization

Enrich ID and access tokens with custom attributes in the form of OAuth 2.0 scopes and claims. You are enabled to make application-specific advanced authorization decisions using custom attributes in the access token.

Advanced security

Protection from web vulnerabilities using AWS WAF

With an integration with AWS Web Application Firewall (AWS WAF), Amazon Cognito offers advanced bot detection features.

Risk-based adaptive authentication

When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.

Protection from compromised credentials

When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.