With support for sign-in with social identity providers like Apple, Facebook, Google, and Amazon, as well as enterprise identity providers via SAML 2.0 and OpenID Connect, Amazon Cognito provides a simple and secure User Sign-Up, Sign-In, and Access Control that scales up to millions of people. But, this is not just it, this service has various areas to explore.
So, to cover all the information in one place, this blog is planned to help you in learning about Amazon Cognito, its features, and how to begin with this service.
What is Amazon Cognito?
Amazon Cognito has the capabilities for offering authentication, authorization, and user management for your web and mobile apps. Users can sign in using a user name and password or through a third-party platform such as Facebook, Amazon, Google, or Apple.
Further, there are two main components of Amazon Cognito, user pools and identity pools. In which, user pools can be considered as user directories that provide sign-up and sign-in options for your app users. And, identity pools allow for granting users access to other AWS services. These two components can be used separately or together. Let’s take an example where a user pool and identity pool are used together.
The diagram illustrates the purpose of authenticating your user and then allowing access to another AWS service to that user.
- Firstly, the app user signs in via a user pool, and after successful authentication, it gets user pool tokens.
- Then, the app exchanges the user pool tokens for AWS credentials using an identity pool.
- The app user can then use those AWS credentials for accessing other AWS services like Amazon S3 or DynamoDB.
What are the features of Amazon Cognito?
You only need to write a few lines of code to allow users to sign up and sign in to your mobile and web apps using Amazon Cognito SDK. Further, to expand this, Amazon Cognito comes with many more top features. Let’s check some of the unique ones.
1. Secure and scalable identity store
Amazon Cognito User Pools offers a secure identity store that has the ability for scaling millions of users. However, the Cognito User Pools can be more easily configured without provisioning any infrastructure. And, you can use the Software Development Kit (SDK) for controlling the directory profile of all members of the user pool. Further, User Pools
- store user-profiles
- support authentication for users signing up directly
- support authentication federated users signing in using social and enterprise identity providers.
2. Social and enterprise identity federation
Your users can quickly sign in using social identity providers like Apple, Google, Facebook, and Amazon with Amazon Cognito. And, they can also use enterprise identity providers like SAML and OpenID Connect for signing in.
3. Standards-based authentication
Amazon Cognito User Pools can be considered as a standards-based Identity Provider with having the supports for identity and access management standards like OAuth 2.0, SAML 2.0, and OpenID Connect.
4. Security for your apps and users
Multi-factor authentication and data-at-rest and in-transit encryption are supported by Amazon Cognito. Moreover, this is,
- HIPAA eligible and PCI DSS SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.
This protects access to user accounts in your applications using advanced security features. These features offer risk-based adaptive authentication as well as security against the usage of hacked credentials. Furthermore, these advanced security features for Amazon Cognito User Pools can be enabled in minutes. And, it has the ability for,
- Firstly, detecting unusual sign-in activity like sign-in attempts from new locations and devices
- Secondly, assigning a risk score to the activity
- Thirdly, allowing you to choose to either prompt users for additional verification or block the sign-in request.
- Lastly, enabling users to verify their identities using SMS or a Time-based One-time Password (TOTP) generator like Google Authenticator.
5. Access control for AWS resources
Amazon Cognito offers solutions for controlling access to AWS resources from your app. Now, you can specify roles and map users to different roles so that your app can access only the resources that are authorized for every user. Alternatively, you can control access to resources to users who meet specific attribute conditions by using attributes from identity providers in AWS Identity and Access Management permission policies.
6. Easy integration with your app
You can easily combine Amazon Cognito for quickly adding user sign-in, sign-up, and access control to your app with the built-in UI and easy configuration for federating identity providers, you can integrate. Moreover, you can also customize the UI to place your company branding front and center for all user interactions.
7. Built-in customizable UI to sign in users
For user sign-up and sign-in, Amazon Cognito has a built-in and customized UI. This can be used with Android, iOS, and JavaScript SDKs for Amazon Cognito to add user sign-up and sign-in pages to your apps.
Common Scenarios of Amazon Cognito
There are six common scenarios for using Amazon Cognito.
1. Authenticating with a User Pool
- Firstly, you can allow your users for authenticating with a user pool.
- Secondly, users of your app can log in either directly through a user pool or through federation with a third-party identity service (IdP).
- Thirdly, the user pool manages the overhead associated with handling tokens returned by social sign-in services such as Facebook, Google, Amazon, and Apple, as well as OpenID Connect (OIDC) and SAML IdPs.
- Then, after successful authentication, your web or mobile app will get user pool tokens from Amazon Cognito.
- Lastly, those tokens can be used to retrieve AWS credentials, which will allow your app to access additional AWS services. Alternatively, you can use them to restrict access to your server-side resources via the Amazon API Gateway.
2. Accessing Server-side Resources with a User Pool
- Firstly, your web or mobile app will get user pool tokens from Amazon Cognito after a successful user pool sign-in.
- Secondly, you can use those tokens for managing access to your server-side resources.
- Thirdly, you can also create user pool groups for controlling permissions, and for representing different types of users.
- Then, it provides a hosted web UI that allows you to add sign-up and sign-in pages to your app after configuring a domain for your user pool.
- Lastly, you can create your own resource server for allowing users to access protected resources using this OAuth 2.0 foundation.
3. Accessing Resources with API Gateway and Lambda with a User Pool
- Firstly, you can allow your users to access your API through API Gateway.
- Secondly, the tokens from a successful user pool authentication are validated by API Gateway and used to provide your users access to resources such as Lambda functions or your own API.
- Thirdly, you can use groups in a user pool for controlling permissions with API Gateway by mapping group membership to IAM roles.
- And, when a user logs in to your app, the ID token issued by a user pool includes the groups to which the user belongs.
- Lastly, you can submit your user pool tokens with a request to API Gateway for verification by an Amazon Cognito authorizer Lambda function.
4. Accessing AWS Services with a User Pool and an Identity Pool
- Firstly, your app will receive user pool tokens from Amazon Cognito after a successful user pool authentication.
- Then, using an identity pool, you can exchange them for temporary access to other AWS services.
5. Authenticating with a Third Party and Access AWS Services with an Identity Pool
- Firstly, you can use an identity pool to give your users access to AWS services. However, an identity pool requires an IdP token (or nothing if the user is an anonymous guest) from a user who has been authenticated by a third-party identity provider.
- Then, in exchange, the identity pool gives you temporary AWS credentials that you can use to log into other AWS services.
6. Accessing AWS AppSync Resources with Amazon Cognito
- With tokens obtained from a successful Amazon Cognito authentication, you can grant your users access to AWS AppSync resources (from a user pool or an identity pool).
Learn to use the Amazon Cognito Console
You can use the Amazon Cognito console for creating and managing user pools and identity pools.
For using the console:
- Firstly, sign up for an AWS account.
- Secondly, open the Amazon Cognito console. It’s possible that you’ll asked for your AWS credentials.
- Thirdly, select Manage your User Pools for creating or editing a user pool.
- Lastly, select Manage Identity Pools for creating or editing an identity pool.
Amazon Cognito Pricing
You just pay for what you use with Amazon Cognito. There are no minimum costs or commitments up in advance. Further, for identity management and data synchronization, this service charges a fee.
Cognito User Pools
- You only pay based on your monthly active users (MAUs) if you utilize Cognito Identity to create a User Pool. However, When a user performs an identity action inside a calendar month, that user is designated an MAU. The actions can be:
- sign-up
- sign-in
- token refresh
- password change
- updating a user account attribute.
- Then, inside that calendar month, you will not charge for additional sessions or inactive users.
- Further, users who sign in directly with their credentials from a User Pool and users who join in through a corporate directory via SAML federation have different fees.
Free Tier
- For users who sign in directly to Cognito User Pools, the Cognito Your User Pool feature includes a free tier of 50,000 MAUs and 50 MAUs for users federated through SAML 2.0 based identity providers. The free tier does not expire when your 12-month AWS Free Tier term ends, and it is available permanently to both existing and new AWS customers.
Final Words
Above we have gained knowledge about Amazon Cognito by understanding its overview, features, scenarios, and pricing. However, this service is providing benefits to many top companies by offering solutions for easily adding user sign-up, sign-in, and access control to your web and mobile apps. So, start learning Cognito and move towards the more advanced level of AWS technology.