Cognito

Icon

Cognito

About

  • This service give users an identity to interact with web or mobile application.

  • There are two services as part of this offering.

Cognito User Pool

  • Provides sign in functionality to users.

  • It is used authentication.

  • Integrates with Application Load Balancer (ALB) and API gateway.

  • It is a serverless database of users.

  • It provides following functionality and more,

    • Handles simple login flows like username/email and password

    • Federated Identity users from Google, Fb, SAML, OIDC etc

    • MFA

    • Password rest

    • Email and Phone number verification

    • Blocks users if credentials are compromised

  • Provides synchronous lambda triggers for signup, signin, messaging etc.

  • A Login sends back a JWT token.

Lambda Triggers

  • The list of operation and lambda triggers are summorized in the table here.

Hosted Authentication UI

  • This hosted UI provided by Cognito allows to handle both sign-up and sign-in flows.

  • Customization of logos and styling is possible for this hosted UI.

Custom Domain

  • If a custom domain is created for hosted UI, the certificate should be hosted in ACM at us-east-1 region only.

  • This custom domain must be defined in App Integration section of Cognito.

Adaptive Authentication

  • This feature blocks user signin or requires MFA if the authentication appears suspicious.

  • This is achieved by calculating a risk score (based on location, IP and device used) for each sign-in attempt.

  • CloudWatch logs integration allows to monitor the authentication attempts trail.

Typical Flow

CUP Flow

Integrations

Integration

ALB

  • ALB integration allows to offload the authentication process from application to the ALB.

  • Authentication can be done using

    • OpenID Connect

    • Cognito User Pool

    • SAML/LDAP/Microsoft AD

  • This require HTTPS listener to set authenticate-oidc or authenticate-cognito rules.

Flow Diagram

  • Cognito Integration flow

  • OpenId connect Integration flow

Cognito Identity Pool

  • Also known as Federated Identity.

  • It is used for authorization (access control).

  • It provides AWS credentials to outside users (i.e app/web users not part of AWS IAM) so that they can access AWS resources directly.

  • CIP provides temporary credentials to app/web users or guest (unauthenticated) user.

  • It also integrates with Cognito User Pool (CUP), OpenID Connect, SAML, custom login servers or public Identity providers (IdP) as an identity provider.

  • Once the temporary credentials are obtained, users can access the AWS resources directly or via API gateway.

Flow Diagram

CIP Flow

Sample Policy

CIP Guest Policy
CIP S3 Policy
CIP DynamoDB Policy
Previous32_CognitoNextQuestions

Last updated