Amazon Cognito¶

What Is This Service?¶

Amazon Cognito is AWS’s managed customer identity and application authentication platform for web and mobile applications.

Provides:

User sign-up/sign-in
Authentication
User federation
Token issuance
Temporary AWS credentials
Identity lifecycle management

Mental model:
Cognito = customer identity + authentication + application access broker.

Cognito manages application users, not AWS workforce identities.

Why It Matters for Security¶

Applications must:

Authenticate users securely
Eliminate password storage
Support federation
Minimize credential exposure
Enable Zero Trust identity
Issue temporary credentials

Security outcomes:

Centralized identity
Reduced credential risk
Strong authentication
Fine-grained authorization
Temporary AWS access

Typical use cases:

Customer portals
Mobile applications
SaaS authentication
API authorization
Serverless applications
Consumer identity platforms

Core Concepts¶

User Pools¶

Managed user directory and authentication engine.

Provides:

Registration
Login
MFA
Federation
Password policies
JWT issuance

Acts as:

Identity Provider (IdP)

Outputs:

ID Token
Access Token
Refresh Token

Purpose:

Who are you?

Identity Pools¶

Identity broker.

Converts identities into:

STS Temporary Credentials

Supports:

User Pools
SAML
OIDC
Social IdPs

Purpose:

What AWS resources can you access?

User Pool Client¶

Application registration object.

Controls:

Redirect URLs
OAuth flows
Scopes
Token lifetime

Multiple apps may share a pool.

Groups¶

Logical authorization layer.

Examples:

Admins
Developers
Guests

Supports:

IAM role mapping
Claims-based access

Federation¶

Supported protocols:

SAML
OIDC
OAuth 2.0

Examples:

Google
Apple
Enterprise IdP
Login with Amazon

Hosted UI¶

AWS-managed authentication interface.

Provides:

Login
Signup
Federation

Reduces implementation risk.

Important Integrations¶

AWS STS¶

Identity Pools generate:

Temporary AWS Credentials

No long-lived keys.

Amazon API Gateway¶

Authentication options:

Cognito User Pool Authorizer¶

Native validation.

Provides:

JWT validation
Signature verification
OAuth scope enforcement

No custom code.

Lambda Authorizer¶

Required when:

Using external IdP directly
Complex authorization required
Database lookups required

Exam decision:

Use Cognito Authorizer first.

Use Lambda Authorizer only if necessary.

AWS Lambda¶

Supports authentication workflows.

Triggers:

Pre sign-up
Pre authentication
Post authentication
Token generation
Custom challenge
User migration

AWS WAF (HIGH VALUE)¶

User Pools support direct WAF protection.

Protects against:

Credential stuffing
Brute force
Malicious geographies
Automated abuse

Architecture:

Internet
 ↓
AWS WAF
 ↓
Cognito User Pool
 ↓
Authentication

Exam trap:

WAF can protect Cognito directly.

CloudFront not required.

AWS AppSync¶

Supports Cognito authentication.

AWS Amplify¶

Deep integration.

Supports:

Authentication
Session handling
Federation

Amazon Verified Permissions¶

Modern authorization architecture:

Authentication → Cognito
Authorization → Verified Permissions

IAM Identity Center (Exam Distinction)¶

Identity Center:

Employees

Cognito:

Application users

Security Features¶

Multi-Factor Authentication¶

Supports:

SMS
TOTP

Adaptive Authentication (Advanced Security)¶

Risk evaluation:

Device
Geography
IP
Behavior

Actions:

Allow
Challenge
Block

Exam keyword:

Advanced Security Features

Password Policies¶

Controls:

Complexity
Lockout
Expiration

Token-Based Authentication¶

Cognito issues JWT tokens.

ID Token (Identity Claims)¶

Purpose:

Who is the user?

Contains:

name
email
groups
custom attributes

Example:

custom:department=finance

Used by:

Applications
Identity context

Access Token (Authorization Claims)¶

Purpose:

What can the user do?

Contains:

OAuth scopes
Authorization claims

Example:

read:users
write:documents

API Gateway commonly validates:

Access Token scopes

Exam trap:

ID Token ≠ Authorization

Refresh Token¶

Purpose:

Session continuation.

Supports:

Long-lived sessions
Token revocation

Device Tracking¶

Supports:

Remembered devices
Reduced MFA prompts

Advanced Security and Operational Concepts¶

User Pool vs Identity Pool (MOST TESTED)¶

User Pool:

Authenticate

Identity Pool:

Authorize AWS access

Flow:

User
 ↓
User Pool
 ↓
JWT
 ↓
Identity Pool
 ↓
STS
 ↓
IAM Role

User Migration Trigger (VERY HIGH VALUE)¶

Migration without forced password reset.

Architecture:

Legacy Directory
 ↓
Migration Lambda
 ↓
User Pool

Flow:

User attempts login
Cognito invokes Migration Lambda
Lambda validates old password
User created in User Pool
Password rehashed

Result:

Seamless migration.

Exam scenario:

Move thousands of users with existing passwords.

Answer:

User Migration Lambda Trigger

Guest Access Architecture¶

Identity Pools support:

Unauthenticated Identities

Role assignment:

Authenticated Role

and

Unauthenticated Role

Example:

Guest:

S3:GetObject

Authenticated:

S3:PutObject

Exam trap:

User Pools cannot issue AWS credentials.

Lambda Trigger Nuance¶

Triggers execute synchronously.

Effect:

More customization

BUT

Higher authentication latency.

Fine-Grained Authorization¶

Identity Pool supports:

Role mapping
Claims evaluation
Attribute access

Example:

department=finance

→ Different IAM role

Temporary Credential Security¶

Pattern:

JWT
 ↓
Identity Pool
 ↓
STS
 ↓
Temporary Credentials

Eliminates:

Static keys

Hosted UI Security¶

Benefits:

OAuth correctness
Reduced credential handling
Lower attack surface

Passkeys and Passwordless Authentication¶

Supports:

WebAuthn
FIDO
Passwordless flows

Modern authentication architecture.

Architecture Example¶

flowchart LR

User

WAF[AWS WAF]

UP[User Pool]

IP[Identity Pool]

STS[STS]

IAM[IAM Role]

API[API Gateway]

User --> WAF

WAF --> UP

UP --> IP

IP --> STS

STS --> IAM

IAM --> API

Workflow(s)¶

Standard Authentication¶

sequenceDiagram

participant User
participant App
participant UserPool
participant IdentityPool
participant STS

User->>App: Login

App->>UserPool: Authenticate

UserPool-->>App: ID + Access Token

App->>IdentityPool: Exchange identity

IdentityPool->>STS: Assume Role

STS-->>App: Temporary Credentials

User Migration Workflow¶

sequenceDiagram

participant User
participant Cognito
participant Lambda
participant LegacyDB

User->>Cognito: Login

Cognito->>Lambda: Migration Trigger

Lambda->>LegacyDB: Validate password

LegacyDB-->>Lambda: Success

Lambda-->>Cognito: User attributes

Cognito-->>User: Login successful

Cognito Authorizer Flow¶

sequenceDiagram

participant Client
participant API
participant Cognito

Client->>API: Access Token

API->>Cognito: Validate JWT

Cognito-->>API: Claims + Scopes

API-->>Client: Access granted

Comparisons¶

Service	Purpose	Auth	AWS Credentials	Federation
Cognito User Pool	User authentication	Yes	No	Yes
Cognito Identity Pool	AWS authorization	No	Yes	Yes
IAM Identity Center	Workforce SSO	Yes	Limited	Yes
IAM Users	AWS admin access	Yes	Static	No
Verified Permissions	Authorization	No	No	No

Common Exam Traps¶

User Pool authenticates.
Identity Pool issues AWS credentials.
Access Token ≠ AWS credentials.
ID Token ≠ authorization.
Cognito ≠ IAM Identity Center.
API Gateway validates scopes from Access Token.
User migration uses Lambda trigger.
WAF attaches directly to User Pools.
Identity Pools support guest users.
Guest and authenticated users use separate IAM roles.
Lambda triggers increase login latency.
JWT claims are not IAM permissions.
Hosted UI reduces auth implementation risk.

5-Second Recall¶

Cognito = customer identity
User Pool → authenticate
Identity Pool → AWS access
STS issues temporary credentials
WAF protects User Pools
Access Token contains scopes
Migration Lambda avoids password resets

Quick Revision Notes¶

User directory + authentication
JWT token architecture
Federation supported
Identity Pool brokers AWS access
Guest access uses separate IAM roles
WAF integrates directly
Migration Lambda enables seamless onboarding
Cognito Authorizer validates JWT natively
Adaptive authentication available
Not workforce SSO