Cognito
Icon
About
This service give users an identity to interact with web or mobile application.
There are two services as part of this offering.
Cognito User Pool
Previously known as Federated Identity
Provides sign in functionality to users.
It is used in authentication.
Integrates with Application Load Balancer (ALB) and API gateway.
It is a serverless database of web and mobile application users.
It provides following functionality and more,
Handles simple login flows like username/email and password
Federated Identity users from Google, Fb, SAML, OIDC etc
MFA
Device Tracking
Password rest
Password policy with configurable password requirements
Email and Phone number verification
Blocks users if credentials are compromised elsewhere as AWS scans the web.
Account recovery via email or SMS.
Provides synchronous lambda triggers for signup, signin, messaging etc.
A Login sends back a JWT token.
Supports Simple Email Service (SES) for email communication with users. You can use Cognito email as well to send the mail but SES is recommended as Cognito email has 50 emails per day. Cognito Email can be used for testing.
SMS based communication can also be configured.
Message template send to users can be configured as per requirement.
WAF, threat protection and log streaming can be used to prevent cyber attack.
Lambda Triggers
The list of operation and lambda triggers are summorized in the table here.
Hosted Authentication UI
This hosted UI provided by Cognito allows to handle both
sign-upandsign-inflows.Can host in own domain rather than AWS generated one.
Must create ACM certification residing in
us-east-1.
Customization of logos and styling is possible for this using
Managed Login, (previously hosted UI).
Custom Domain
If a custom domain is created for hosted UI, the certificate should be hosted in ACM at
us-east-1region only.This custom domain must be defined in App Integration section of Cognito.
Adaptive Authentication
This feature blocks user signin or requires MFA if the authentication appears suspicious.
This is achieved by calculating a risk score (based on location, IP and device used) for each sign-in attempt.
Checks for account takeover protection by phone and email verification.
CloudWatch logs integration allows to monitor the authentication attempts trail with details like risk score, sign-in attempts, failed challenges etc.
Token
Token received from Cognito is JWT.
After verification of token, the user is authenticated.
subfield in JWT payload i.e., subject is used to link user in User database to the token owner i.e User.
Typical Flow
Integrations
ALB
ALB integration allows to offload the authentication process from application to the ALB.
Authentication can be done using
OpenID Connect
With and Without Cognito User Pool
For identity providers like google, facebook etc.
SAML/LDAP/Microsoft AD
This require
HTTPSlistener to set authenticate-oidc (for without cognito) or authenticate-cognito (for with cognito) rules.OnUnauthenticatedRequest, we can either ask user to authenticate (default), deny or allow
Flow Diagram
Cognito Integration flow
OpenId connect Integration flow
Cognito Identity Pool
Also known as Federated Identity.
It is used for authorization (access control).
It provides AWS credentials to outside users (i.e app/web users not part of AWS IAM) so that they can access AWS resources directly.
CIP provides temporary credentials to app/web users or guest (unauthenticated) user.
Behind the scene, Security Token Service (STS) provides the temporary token.
It also integrates with Cognito User Pool (CUP), OpenID Connect, SAML, custom login servers or public Identity providers (IdP) as an identity provider.
Once the temporary credentials are obtained, users can access the AWS resources directly or via API gateway.
IAM policies that allows access to AWS resources are defined in Cognito.
Can be customized based on user_id for fine-grained control.
Flow Diagram
CIP flow
Sample Policy
Last updated