Open in app

Sign in

Write

Sign in

Authentication with AWS Cognito

Kushan Madhusanka
9 min readFeb 12, 2025

--

Authentication is a must-have feature of any secure application. It doesn't matter whether you are building a web, mobile, or serverless application, adding authentication and authorization is essential. What Amazon Cognito can do is, it simplifies the process by providing user authentication, authorization, and user management at ease. it makes the developer’s life easy when adding the user sign-up, sign-in, and access control to web and mobile apps. They don't have to write any backend code related to auth.

In this article, we’ll explore what is Cognito and how to set up and manage authentication using Amazon Cognito.

What is Amazon Cognito?

Amazon Cognito is a fully managed service by AWS dedicated to user sign-up, sign-in, user management, and access control. It supports features such as:

  • User Pools: Handles user sign-up and sign-in functionality and manage users.
  • Identity Pools: Provide temporary access to AWS services based on identity by giving temporary credentials.
  • Federation: Authenticate users via external identity providers like Google, Facebook, SAML, or OpenID Connect (OIDC).
  • Security: Multi-factor authentication (MFA), advanced security features, and compliance with regulations.

Thanks to these features, Amazon Cognito provides a perfect solution for adding authentication and identity management to applications.

Cognito User Pool

A User Pool is a user directory that enables users to sign up and sign in to an application. It handles authentication, account recovery, and user management. This is ideal for applications requiring user-based authentication. The diagrams below illustrate how the flow works.

Setting Up Amazon Cognito User Pool

Here’s how you can set up a User Pool:

  1. Sign in to AWS Management Console and go to the Cognito service.
  2. Create a User Pool by selecting from the two options there(user pool/identity pool).
  • you will navigate to a page where you have to select the application type and fill in the client app name(ps: this is not the user pool name, here on this page you are creating the app client that is included in the user pool), options for sign-in, required attributes, and return URL.
  • After clicking the Create button you will navigate to the sample code that you can use to integrate this user pool with your application. (that's provided with different programming languages).

3. Then you can navigate to the overview page and in different tabs you will be able to do a few simple configurations like:

  • Password policies: Set rules for password strength, such as requiring uppercase letters, numbers, or special characters.
  • MFA: Enable multi-factor authentication for added security.
  • User registration: Choose whether users need to verify their email or phone number.
  • Customize user attributes: Decide what information you need from users (e.g., email, phone number).
  • Attributes permissions: Adjust attribute permission level as you want.
  • Configure triggers (optional): Set up AWS Lambda functions to customize the user registration, authentication, and sign-in process.
  • Self-service sign-up: You can enable or disable self-registration for your application based on your preference.
  • Add identity provider: Based on the business use case you can add external identity providers like Facebook, Google, etc.

Scenarios where Cognito user pool is useful

  • Basic Authentication for a Web Application

In this scenario, you want users to register and sign in to your web application using a username and password. You can achieve this by setting up a Cognito User Pool and integrating it with your application. AWS Amplify can help simplify this integration, handling sign-up, sign-in, and password recovery.

  • Social Login Integration

If you want users to sign in with their social media accounts (e.g., Google, Facebook), you can enable social identity providers in your Cognito User Pool. This allows users to authenticate using their social credentials while still managing them through your User Pool.

  • Secure API Access

For an API that should only be accessed by authenticated users, you can use Cognito to issue JWT tokens upon user authentication. These tokens can be verified on the API side to ensure that the request is coming from an authenticated user.

  • Multi-Factor Authentication (MFA)

To increase security, you can enforce MFA for all users. AWS Cognito allows you to require MFA during sign-in, which can be a second factor like a text message code or an authenticator app. This ensures that even if a user’s password is compromised, their account remains secure.

  • Custom Authentication Flows

For more complex scenarios, such as integrating with a legacy authentication system or implementing passwordless authentication, Cognito supports custom authentication flows using AWS Lambda triggers. This allows you to tailor the authentication process to fit specific business requirements.

Cognito Identity pool

While Cognito User Pools handle user authentication and user management, Cognito Identity Pools (also known as Federated Identities) focus on providing temporary AWS credentials to access AWS services. These credentials are assigned based on the user’s identity, whether they are authenticated via a User Pool, a social identity provider (like Google or Facebook), or even as an unauthenticated guest.

Key Features of Cognito Identity Pools

  • Temporary AWS Credentials: Users are granted temporary, limited-privilege credentials to access AWS resources like S3, DynamoDB, or API Gateway.
  • Federated Identities: Supports integration with external identity providers (e.g., Google, Facebook, SAML, OIDC) and Cognito User Pools.
  • Unauthenticated Access: Allows guest users to access certain AWS resources without requiring them to sign in.
  • Fine-Grained Access Control: Use IAM roles to define what resources users can access based on their identity.

How Identity Pools Work

A user authenticates via a User Pool or an external identity provider. Then the Identity Pool receives the identity token and exchanges it for temporary AWS credentials. The user can now access AWS services based on the permissions defined in the IAM role associated with their identity.

Setting Up a Cognito Identity Pool

Here’s how you can set up an Identity Pool:

  1. Sign in to the AWS Management Console and navigate to the Cognito service.
  2. Create an identity Pool by selecting from the two options there(user pool/identity pool).
  3. Then you will navigate to the bellow page where you have to select whether you want to give access to authenticated users or guest users or both. And then select the authenticated identity sources if select Authenticated access.

4. As the next step need to select an authenticated role or you can just allow it to be created automatically. This is where granular permission control is handled. You can define what services need to be accessed by the user.

5. As step 3 you have to select the user pool ID and app client if you select the user pool as your identity source or if you selected something else you have to put details related to that.

6. For step 4 you can give a proper name for the identity pool and can select basic authentication flow if you want and add some tag(optional).

After reviewing and creating the identity pool. Once created, you’ll receive a sample code to integrate the Identity Pool with your application

Scenarios Where Cognito Identity Pool is Useful

Accessing AWS Resources Securely

If your application needs to interact with AWS services like S3 or DynamoDB, you can use an Identity Pool to grant users temporary credentials. For example, a mobile app might allow users to upload files to an S3 bucket securely.

Federated Access with Social Logins

If your application allows users to sign in with social media accounts, you can use an Identity Pool to grant them access to AWS resources. For instance, a user signing in with Google can be granted access to a DynamoDB table.

Guest Access

For applications that need to provide limited functionality to unauthenticated users, you can enable guest access. For example, a photo-sharing app might allow guests to view public photos but require sign-in to upload content.

Cross-Account Access

If your application spans multiple AWS accounts, you can use Identity Pools to provide users with access to resources across accounts.

Combining User Pools and Identity Pools

In many applications, you’ll use both User Pools and Identity Pools together:

  • User Pool: Handles user authentication (sign-up, sign-in, and user management).
  • Identity Pool: Grants temporary AWS credentials to access resources.

A user signs in via the User Pool. The Identity Pool uses the User Pool’s identity token to grant the user access to AWS services like S3 or DynamoDB.

Best Practices for Using Amazon Cognito

  1. Enable Multi-Factor Authentication (MFA)
  2. Use Strong Password Policies.
  3. Leverage Lambda Triggers like customizing authentication flows using Lambda triggers for advanced use cases like passwordless login or integration with legacy systems.
  4. Monitor and Log Activity with CloudWatch to monitor Cognito activity and detect suspicious behavior.
  5. Secure Your Tokens by always validating JWTs issued by Cognito on your backend to ensure they haven’t been tampered with.
  6. Ensure your Cognito setup complies with regulations like GDPR or HIPAA if applicable.

Amazon Cognito pricing

Amazon Cognito is a cost-effective, pay-as-you-go service for user authentication, authorization, and identity management. It offers flexible pricing tiers and add-ons to suit various use cases, from basic authentication to advanced security needs.

Pay Only for What You Use

  • No minimum fees or upfront commitments.
  • Pricing is based on Monthly Active Users (MAUs) and additional features like SMS/email messaging, machine-to-machine (M2M) authorization, and higher API request rates.

Free Tier

  • 10,000 MAUs for users signing in directly via Cognito or social identity providers (Lite and Essentials tiers).
  • 50 MAUs for users federated through SAML 2.0 or OIDC identity providers (all tiers).
  • The free tier is available indefinitely and does not expire after the AWS Free Tier term.

Pricing Tiers

  • Lite: Basic authentication features (password-based, social/SAML/OIDC integration).
  • Essentials: Advanced features like passwordless login, passkeys, and custom access tokens.
  • Plus: Enhanced security features like risk-based adaptive authentication, compromised credentials detection, and threat analysis.

Add-Ons

  • Machine-to-Machine (M2M) Authorization: For server-to-server authentication.
  • Higher API Request Rates (RPS): For increased API quotas (e.g., user authentication, token requests).

Additional Costs:

  • SMS Messages: Charged via Amazon SNS for MFA, user registration, and password recovery.
  • Email Messages: Charged via Amazon SES for user verification and account recovery.

Find more details about pricing here.

Conclusion

Amazon Cognito is a powerful service that simplifies authentication, authorization, and user management for modern applications. Whether you’re building a web app, mobile app, or serverless backend, Cognito provides the tools you need to secure your application and manage user identities effectively.

By combining User Pools and Identity Pools, you can create a seamless and secure authentication experience while granting users access to AWS resources. With features like social logins, MFA, and Lambda triggers, Cognito is highly customizable to fit your application’s needs.

Start using Amazon Cognito today to enhance the security and scalability of your applications!

AWS
Cognito
Serverless
Cloud Computing
User Pool

--

--

Kushan Madhusanka
Kushan Madhusanka

Written by Kushan Madhusanka

176 Followers
46 Following

Undergraduate of University of Moratuwa | Faculty of Information Technology

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams