What does this AWS Solutions Implementation do?

Many Amazon Web Services (AWS) customers use Amazon Cognito User Pools to provide a scalable and secure user directory for their applications. Amazon Cognito customers often need to export user information to facilitate more complex user queries, or to provide resiliency in case of Regional failure or accidental deletion of their users' profiles. To assist with this, AWS offers the Cognito User Profiles Export Reference Architecture solution. This solution is designed to provide a framework for exporting user profile and group information from a user pool, allowing users to focus on extending this solution’s functionality rather than managing the underlying infrastructure operation.

This solution uses an AWS Step Functions export workflow to periodically export user profiles, groups, and group membership details from a user pool to an Amazon DynamoDB global table with automatic, asynchronous replication to a backup Region for added resiliency.

This solution’s Step Functions import workflow can be used to populate a new, empty user pool with data from the global table, allowing users to easily recover user profiles, groups, and group memberships. The import workflow can be run in either the primary or backup Region.

Customers interested in using this solution should be aware that it does not export sensitive information, such as user passwords; that user pools with multi-factor authentication (MFA) enabled are not supported; and that advanced security features are not supported. For a full list of limitations, refer to the implementation guide.

AWS Solutions Implementation overview

The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

Cognito User Profiles Export Reference Architecture | Architecture Diagram
 Click to enlarge

Cognito User Profiles Export Reference Architecture solution architecture

The Cognito User Profiles Export Reference Architecture solution automatically deploys an architecture that periodically exports user profiles, groups, and group memberships from an Amazon Cognito user pool in a primary AWS Region to an Amazon DynamoDB global table in the same Region. The use of a global table allows DynamoDB to asynchronously replicate all updates to a backup Region for added resiliency. In the primary Region, a scheduled Amazon CloudWatch Events triggers the AWS Step Functions export workflow that interrogates the primary Amazon Cognito user pool and stores user profiles, groups, and group membership information in the global table. DynamoDB then asynchronously replicates all data to the backup Region.

This solution’s Step Functions import workflow is used to populate a new, empty Amazon Cognito user pool with data from the global table, allowing you to easily recover user profiles, groups, and group memberships.

Cognito User Profiles Export Reference Architecture

Version 1.0.0
Last updated: 08/2020
Author: AWS

Estimated deployment time: 10 min

Use the button below to subscribe to solution updates.

Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.  

Did this Solutions Implementation help you?
Provide feedback 

Features

Scheduled export

The Step Functions export workflow periodically exports non-sensitive user profiles, groups, and group membership details from your user pool to an Amazon DynamoDB table. Choose whether to run the export workflow every 1, 7, or 30 days. You can also modify the CloudWatch event rule to run the export workflow on a different schedule.

Import from Amazon DynamoDB

The Step Functions import workflow can be used in either the primary or backup Region to populate a new, empty user pool with data from the DynamoDB global table.

Added resiliency

We use DynamoDB global tables with automatic, asynchronous replication to a backup Region for added resiliency. This ensures that you still have access to a backup of your users, groups, and group memberships if your primary Region is unavailable.
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more