Amazon Cognito Cheat Sheet

• A user management and authentication service that can be integrated to your web or mobile applications. Amazon Cognito also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (Facebook, Twitter, Amazon, Google, Apple) and you can also integrate your own identity provider.
• An Amazon Cognito ID token is represented as a JSON Web Token (JWT). Amazon Cognito uses JSON Web Tokens for token authentication.

How It Works

User Pools

• • User pools are user directories that provide sign-up and sign-in options for your app users.
  • Users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP).
  • You can use the aliasing feature to enable your users to sign up or sign in with an email address and a password or a phone number and a password.
  • User pools are each created in one AWS Region, and they store the user profile data only in that region. You can also send user data to a different AWS Region.
  • Tokens provided through user pools:
    • Access tokens contain scopes and groups and are used to grant access to authorized resources. Access tokens can be configured to expire in as little as five minutes or as long as 24 hours.
    • Refresh tokens contain the information necessary to obtain a new ID or access token. Refresh tokens can be configured to expire in as little as one hour or as long as ten years.
  • A User Pool is like a directory of users.
  • Manage Users
    • After you create a user pool, you can create, confirm, and manage users accounts. 
    • Amazon Cognito User Pools groups lets you manage your users and their access to resources by mapping IAM roles to groups.
    • User accounts are added to your user pool in one of the following ways:
    • The user signs up in your user pool’s client app, which can be a mobile or web app.
    • You can import the user’s account into your user pool.
    • You can create the user’s account in your user pool and invite the user to sign in.
    • Sign up authflow below

Identity Pools 

• • Use this feature if you want to federate users to your AWS services.
  • Identity pools enable you to grant your users temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB.
  • Identity pools support anonymous guest users, as well as the following identity providers:
    • • Amazon Cognito user pools
      • Social sign-in with Facebook, Google, and Login with Amazon
      • OpenID Connect (OIDC) providers
      • SAML identity providers
      • Developer authenticated identities
  • To save user profile information, your identity pool needs to be integrated with a user pool.
  • Amazon Cognito Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider.
  • The permissions for each authenticated and non-authenticated user are controlled through IAM roles that you create.
  • Once you have an OpenID Connect token, you can then trade this for temporary AWS credentials via the AssumeRoleWithWebIdentity API call in AWS Security Token Service (STS). This call is no different than if you were using Facebook, Google+, or Login with Amazon directly, except that you are passing an Amazon Cognito token instead of a token from one of the other public providers.

Common Use Cases

• • Enable your users to authenticate with a user pool.

• • After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources.

• • Access resources with API Gateway and Lambda with a User Pool. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.
    

• • After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool.
    

• • Enable your users access to AWS services through an identity pool. In exchange, the identity pool grants temporary AWS credentials that you can use to access other AWS services.
    

• • Grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (from a user pool or an identity pool).
  • Amazon Cognito is also commonly used together with AWS Amplify, a framework for developing web and mobile applications with AWS services.
• Amazon Cognito Sync
  • Store and sync data across devices using Cognito Sync.
  • You can programmatically trigger the sync of data sets between client devices and the Amazon Cognito sync store by using the synchronize() method in the AWS Mobile SDK. The synchronize() method reads the latest version of the data available in the Amazon Cognito sync store and compares it to the local, cached copy. After comparison, the synchronize() method writes the latest updates as necessary to the local data store and the Amazon Cognito sync store.
  • The Amazon Cognito Sync store is a key/value pair store linked to an Amazon Cognito identity. There is no limit to the number of identities you can create in your identity pools and sync store.
  • Each user information store can have a maximum size of 20MB. Each data set within the user information store can contain up to 1MB of data. Within a data set you can have up to 1024 keys.
  • With Cognito Streams, you can push sync store data to a Kinesis stream in your AWS account. 

• Advanced Security Features
  • When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.
  • Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator.
  • When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts a password change.

• Integration with AWS Lambda
  • You can create an AWS Lambda function and then trigger that function during user pool operations such as user sign-up, confirmation, and sign-in (authentication) with a Lambda trigger.
  • Amazon Cognito invokes Lambda functions synchronously. When called, your Lambda function must respond within 5 seconds. If it does not, Amazon Cognito retries the call. After 3 unsuccessful attempts, the function times out.
  • You can create a Lambda function as a backend to Cognito that serves auth challenges to users signing in.

Amazon Cognito Pricing

• • If you are using Cognito Identity to create a User Pool, you pay based on your monthly active users (MAUs) only. A user is counted as a MAU if, within a calendar month, there is an identity operation related to that user, such as sign-up, sign-in, token refresh or password change.
    • The Cognito Your User Pool feature has a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools or through social identity providers, and 50 MAUs for users federated through SAML 2.0 based identity providers.
  • You pay an additional fee when you enable advanced security features for Amazon Cognito.
  • Amazon Cognito uses Amazon SNS for sending SMS messages for Multi-Factor Authentication (MFA) and phone number verification, so there are associated SNS costs as well.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

A Software Engineer has developed a web application to monitor the pending/processed orders on the corporate sales server. The application needs to be accessed by Delivery, Finance, and Admin teams. The Security Administrator decided to integrate Amazon Cognito to the application to provide user sign-in functionality for the members of each team. The Delivery team should be able to update entries on the application while the Finance team only needs read permissions to verify the flow of orders.

Which of the following options will help the Administrator grant distinct permissions for each team member?

1. Amazon Cognito User Pool Groups
2. Amazon Cognito Identity Pool
3. Amazon Cognito Sync
4. Amazon Cognito Federated Identities

Show me the answer!

Correct Answer: 1

Amazon Cognito User Pool supports “groups” which enables you to create and manage groups, add users to groups, and remove users from groups. Use groups to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group. You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users.

For example, you can create separate groups for users who are readers, contributors, and editors of your website and app. Using the IAM role associated with a group, you can also set different permissions for those different groups so that only contributors can put content into Amazon S3 and only editors can publish content through an API in Amazon API Gateway.

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign-in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

An identity pool, on the other hand, enables your users to obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as various identity providers that you can use to authenticate users for identity pools.

Hence, the correct answer is: Amazon Cognito User Pool Groups.

Amazon Cognito Identity Pool is incorrect because Identity pools are primarily used for authorization (access control) only to specific AWS resources. You can use identity pools to create unique identities for users and give them access to other AWS services. In this use case, you need authentication (identity verification) so you need to use user pool groups.

Amazon Cognito Sync is incorrect because this is just a client library that enables cross-device syncing of application-related user data. Cognito Sync API is primarily used to synchronize user data across devices.

Amazon Cognito Federated Identities is incorrect because this is the same as Identity Pools. Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.

References:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Amazon Cognito Cheat Sheet Resources:

https://aws.amazon.com/cognito/
https://aws.amazon.com/cognito/faqs/
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
Overview of Amazon Cognito User Pools and Federated Identities