Amazon Cognito Cheat Sheet

• A user management and authentication service that can be integrated to your web or mobile applications. Amazon Cognito also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (Facebook, Twitter, Amazon, Google, Apple) and you can also integrate your own identity provider.
• An Amazon Cognito ID token is represented as a JSON Web Token (JWT). Amazon Cognito uses JSON Web Tokens for token authentication.

How It Works

User Pools

• • User pools are user directories that provide sign-up and sign-in options for your app users.

  • Users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP).

  • You can use the aliasing feature to enable your users to sign up or sign in with an email address and a password or a phone number and a password.

  • User pools are each created in one AWS Region, and they store the user profile data only in that region. You can also send user data to a different AWS Region.

  • Tokens provided through user pools:

    • Access tokens contain scopes and groups and are used to grant access to authorized resources. Access tokens can be configured to expire in as little as five minutes or as long as 24 hours.

    • Refresh tokens contain the information necessary to obtain a new ID or access token. Refresh tokens can be configured to expire in as little as one hour or as long as ten years.

  • Manage Users: After you create a user pool, you can create, confirm, and manage users accounts. Amazon Cognito User Pools groups lets you manage your users and their access to resources by mapping IAM roles to groups.

Identity Pools

• • Use this feature if you want to federate users to your AWS services.

  • Identity pools enable you to grant your users temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB.

  • Supports:

    • Amazon Cognito user pools

    • Social sign-in with Facebook, Google, and Login with Amazon

    • OpenID Connect (OIDC) providers

    • SAML identity providers

    • Developer authenticated identities

    • Unauthenticated identities (guest users).

  • To save user profile information, your identity pool needs to be integrated with a user pool.

  • The permissions for each authenticated and non-authenticated user are controlled through IAM roles that you create.

  • Once you have an OpenID Connect token, you can then trade this for temporary AWS credentials via the AssumeRoleWithWebIdentity API call in AWS Security Token Service (STS).

Common Use Cases

• • Enable your users to authenticate with a user pool.

• • After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources.

• • Access resources with API Gateway and Lambda with a User Pool. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.
    

• • After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool.
    

• • Enable your users access to AWS services through an identity pool. In exchange, the identity pool grants temporary AWS credentials that you can use to access other AWS services.
    

• • Grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (from a user pool or an identity pool).
  • Amazon Cognito is also commonly used together with AWS Amplify, a framework for developing web and mobile applications with AWS services.
• Application Authentication (User Pools)

  • Scenario: Your mobile or web app needs a secure sign-up and sign-in directory.

  • Flow: Users sign in via Cognito User Pools (or social providers). Upon success, the app receives standard JWTs (ID, Access, and Refresh tokens). You can use these tokens to control access to your application’s pages or components.

  • Serverless API Authorization

  • Scenario: You are protecting a serverless API built with API Gateway and Lambda.

  • Flow: Configure a Cognito Authorizer on API Gateway. It automatically validates the User Pool tokens attached to incoming API requests before allowing them to trigger your Lambda functions.

• Direct AWS Resource Access (Identity Pools)

  • Scenario: Your mobile app needs to upload files directly to S3 or read from DynamoDB without passing through a backend server.

  • Flow: The app authenticates with a User Pool, then swaps the JWT for temporary AWS credentials (Access Key/Secret Key) via an Identity Pool. These credentials allow the app to talk directly to AWS services.

  • User Data Synchronization (AWS AppSync)

  • Scenario: You need to sync user profile data, game state, or settings across multiple devices (e.g., phone and tablet) in real-time.

  • Flow: Use User Pool tokens to authenticate with AWS AppSync. AppSync uses GraphQL to securely synchronize data across devices, supporting both online and offline modes.

  • Legacy: Amazon Cognito Sync

  • Status: Deprecated.

  • Function: Previously used to sync user data (preferences, game state) across devices.

  • Recommendation: AWS now advises using AWS AppSync for syncing user data across devices. Cognito Sync is maintained for existing apps but should not be used for new workloads.

  • Advanced Security Features

• Threat Protection (Advanced Security): Available in the Cognito Plus tier.

  • • Adaptive Authentication: Detects unusual sign-in activity (new location, device, etc.). It assigns a risk score and can automatically block the request or require MFA.

    • Compromised Credentials Detection: Checks if a username/password pair has been compromised in known data breaches elsewhere on the internet and prompts a password change.

  • MFA: Users can verify their identities using SMS, email, or Time-based One-time Password (TOTP) generators.

• Integration with AWS Lambda
  • You can trigger Lambda functions during user pool operations (e.g., Pre Sign-up, Post Confirmation, Pre Authentication).
  • Synchronous Invocation: Amazon Cognito invokes these functions synchronously. The function must respond within 5 seconds; otherwise, the call is retried (up to 3 times) before timing out.
  • Migration: You can use a Lambda trigger to migrate users from an existing directory into a User Pool seamlessly as they sign in

Amazon Cognito Pricing

• MAU Billing:

  • Lite + Essentials: First 10,000 MAUs free.

  • Plus Tier: Charged from the first user (no free tier).

• Machine-to-Machine (M2M): Charged per token request.

• MFA: Standard AWS SNS (SMS) and SES (Email) charges apply for verification messages.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

A Software Engineer has developed a web application to monitor the pending/processed orders on the corporate sales server. The application needs to be accessed by Delivery, Finance, and Admin teams. The Security Administrator decided to integrate Amazon Cognito to the application to provide user sign-in functionality for the members of each team. The Delivery team should be able to update entries on the application while the Finance team only needs read permissions to verify the flow of orders.

Which of the following options will help the Administrator grant distinct permissions for each team member?

1. Amazon Cognito User Pool Groups
2. Amazon Cognito Identity Pool
3. Amazon Cognito Sync
4. Amazon Cognito Federated Identities

Show me the answer!

 

Correct Answer: 1

Amazon Cognito User Pool supports “groups” which enables you to create and manage groups, add users to groups, and remove users from groups. Use groups to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group. You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users.

For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Using the IAM role associated with a group, you can also set different permissions for those different groups so that only contributors can put content into Amazon S3 and only editors can publish content through an API in Amazon API Gateway.

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign-in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

An identity pool, on the other hand, enables your users to obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as various identity providers that you can use to authenticate users for identity pools.

Hence, the correct answer is: Amazon Cognito User Pool Groups.

Amazon Cognito Identity Pool is incorrect because Identity pools are primarily used for authorization (access control) only to specific AWS resources. You can use identity pools to create unique identities for users and give them access to other AWS services. In this use case, you need authentication (identity verification) so you need to use user pool groups.

Amazon Cognito Sync is incorrect because this is just a client library that enables cross-device syncing of application-related user data. Cognito Sync API is primarily used to synchronize user data across devices.

Amazon Cognito Federated Identities is incorrect because this is the same as Identity Pools. Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.

References:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Amazon Cognito Cheat Sheet Resources:

https://aws.amazon.com/cognito/
https://aws.amazon.com/cognito/faqs/
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
Overview of Amazon Cognito User Pools and Federated Identities