AWS Cognito is a service to handle user authentication and authorization. Using the best security practices gives us the way to manage users and access.

It offers:

  • Secure and scalable identity store
  • Social and enterprise identity federation
  • Standards-based authentication
  • Security for apps and users
  • Access control for AWS resources
  • Easy integration with apps
Cognito it’s cheap as well, with a free tier that gives 50,000 monthly active users for UserPools and 50 for users from SAML 2.0 based identity providers.

Core Components

Cognito User Pool

Probably the most used feature, it offers a base of users to handle. It contains a bunch of cool features to sign in and sign-up users, like MFA, password minimal requirements, account validation, etc.

It’s possible to update increment behaviors (like adding more information to tokens) in most Cognito steps. This can be accomplished by invoking lambdas after/before the steps.

Cognito Identity Pool

Provide temporary credentials for users to access AWS services, like S3, DynamoDB, Cloudwatch, etc.


Cognito Sync

AWS service and client library that makes it possible to sync application-related user data across devices.

Synchronize user profile data across mobile devices and the web without using a backend application.

The client libraries cache data locally so that the applications can read and write data regardless of device connectivity status.

Security best practices

It’s recommended to enable multi-factor authentication (MFA) to a user pool to protect the user’s identity. MFA adds a second authentication factor so that the user pool doesn’t rely solely on user name and password.

It’s possible to choose to use SMS text messages, or time-based one-time passwords (TOTP) as second factors to sign in the users.

Also, it’s useful to enable adaptive authentication with its risk-based model to predict when might need another authentication factor. User pool advanced security features include adaptive authentication and protections against compromised credentials.