Amazon Cognito Features
Amazon Cognito is a developer-centric and cost-effective customer identity and access management (CIAM) service. It provides a secure identity store and federation options that can scale to millions of users. Amazon Cognito supports login with social identity providers and SAML or OIDC-based identity providers for delightful customer experiences, and offers advanced security features to protect your customers and business. It supports various compliance standards, operates on open identity standards (OAuth2.0, SAML 2.0 and OpenID Connect) and integrates with an extended ecosystem of front-end and back-end development resources and SDK libraries.
A customer’s first experience with your site is often through the self-registration process. Amazon Cognito provides both a customizable, pre-packaged, hosted user interface to rapidly get to market and a robust set of APIs to build a fully custom self-registration solution. Users can sign-up using an email, phone number, or username for your application. The self-registration process enables users to view and update their profile data, including custom attributes. Reduce help desk calls with self-service options, such as password reset with an SMS message or email.
Identity store (Amazon Cognito user pools)
Amazon Cognito provides a secure identity store (user pools) that scales to millions of users. User pools securely store user profile data for users who sign-up directly and for federated users who sign-in with external identity providers.
The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.
Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. The batch user migration leverages a CSV file import process. Using the JIT migration process, an AWS Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.
Multi-tenancy and tenant isolation
Amazon Cognito enables B2B interactions with multi-tenant support. You can choose to reuse application integrations, access and password policies, or enforce complete tenant isolation.
Multi-factor authentication (MFA)
You can add an additional layer of security for your customers by enabling MFA in an Amazon Cognito user pool. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator. Amazon Cognito also supports the configuration of different password rules on different pools of users.
As a federation hub, Amazon Cognito enables users to login via social identity providers, such as Apple, Facebook, Google, and Amazon and enterprise identity providers via SAML and OIDC. Amazon Cognito is a standards-based identity provider. Once your users are logged into Amazon Cognito (via local authentication or external federation), they can use OAuth/OIDC to access federated resources.
Amazon Cognito user pools allow you to build a custom authentication flow that uses Lambda functions to authenticate users based on one or more challenge-response cycles. You can use this flow to implement passwordless authentication that is based on custom challenges or use custom challenges as additional factors.
Customizing user pool workflows with Lambda triggers
Use lambda triggers to customize Cognito behavior, including user lifecycle stages like before and after authentication and sign-up or before token issuance. You can also use lambda triggers to customize messages that are sent to users in different stages or to integrate with third party email and SMS providers.
Last mile integration with applications
Amazon Cognito secures the last mile of integration with an application. Amazon Application Load Balancers (ALBs) and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.
Access AWS resources
The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, Lambda serverless components, and other Amazon services. Users can be dynamically mapped to different roles to support least privilege access to a service.
Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication, ensuring a secure experience between application components.
Access token customization
Enrich access tokens with custom attributes in the form of OAuth 2.0 scopes and claims. You can make application-specific advanced authorization decisions using custom attributes in the access token. This feature also allows you to personalize end-user experiences and improve customer engagement.
Use a data-driven approach to drive customer acquisition and retention. Launch customer outreach campaigns and track the engagement with Amazon Pinpoint. Amazon Pinpoint provides analytics for Amazon Cognito-based user activities and Amazon Cognito enriches user data for Pinpoint campaigns.
Business agility amplified
AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend with Amazon Cognito, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.
CIAM solutions are custom solutions. Amazon Cognito provides a robust set of hooks and extensions to fully customize the authentication, registration, and user migration flows. For example, the self-registration flow can be augmented with custom identity proofing and account verification checks and the login process can be extended to create custom authentication flows or modify a token before it is generated.
Protection from web vulnerabilities using AWS WAF
With a native integration with Amazon Web Application Firewall (AWS WAF), Amazon Cognito offers advanced bot detection features that can help to save your organization from paying for automated accounts.
Compromised credential protection
Amazon Cognito can detect and prevent, in real time, the reuse of compromised credentials as users sign-up, sign-in, or change their password. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.
Risk-based adaptive authentication
Protect your user’s accounts and enhance their sign-in experience with adaptive authentication. When Amazon Cognito detects unusual sign-in activity, such as attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.
Auditing and Compliance
Logging and monitoring
Amazon Cognito supports monitoring with AWS CloudTrail, Amazon CloudWatch Metrics, and Amazon CloudWatch Logs Insights. With CloudTrail you can capture API calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. With CloudWatch metrics you can monitor, report, and take automatic actions in case of an event in near real time. With CloudWatch Logs Insights, you can configure CloudTrail to send events to CloudWatch for monitoring Amazon Cognito CloudTrail log files.
Amazon Cognito aligns with multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.