Home » Amazon Cognito

Amazon Cognito

What is Amazon Cognito?

Amazon Cognito is an Amazon Web Services product that controls user authentication and access to mobile applications on Internet-connected devices. The service saves and synchronizes end-user data, allowing the application developer to focus on writing code rather than building and managing the back-end infrastructure. It can speed up the mobile application development process.

Access control through authentication and authorization is required to confirm the identity of the device or the person trying to access the Website and if they have permission to do so. Both aspects are important in ensuring that organizations can keep their networks and protected resources safe from bad actors. That’s where Amazon Cognito comes in.

Amazon Cognito aggregates user profile attributes into directories called user pools that the mobile app or web app uses to configure limited access to AWS resources. An identity pool consolidates end-user information that client access platforms, devices, and operating systems obtain to organize federated identity groups.

When a device is online, the data is synchronized with AWS, allowing the end user to access the same information on the other device. Data can be saved locally to a SQLite database while offline before reconnecting. Amazon Cognito associates data sets with identities and saves encrypted information as key or value pairs in the Amazon Cognito Sync store. Each user can save up to 20MB of data, with each data set containing up to 1MB.

A developer can configure Amazon Cognito to accept streams of events as the data is updated and synchronized. A mobile developer can also query data through other AWS cloud services, such as an Amazon Redshift database, a relational database service (RDS) instance, or an Amazon Simple Storage Service (S3) file.

What is Amazon Cognito used for?

Amazon Cognito enables simple, secure user authentication, authorization and user management for web and mobile apps. With Cognito, users or visitors can sign in with a username and password through Amazon or through a third party such as Facebook, Google, or Apple.

Thus, with Cognito, a developer can:

  • Easily add user sign-up, sign-in and access controls to your apps with its built-in user interface (UI) and easy configuration
  • Federal identification from social identity providers
  • Synchronize data across multiple devices and applications
  • Provide secure access to other AWS services from their app by defining roles and mapping users to different roles

Since Cognito handles all the authentication requirements, developers can focus on building apps and websites. This can speed up the development process, shorten the release cycle, and increase time to market and price.

Cognito is part of the Amazon Web Services (AWS) ecosystem. The Cognito console itself is part of an organization’s AWS Management Console, where they can view all the information about their Cognito account and billing.

User Pool vs. Identity Pool: Understanding the Differences

Amazon Cognito has two main components:

User Pools: User directories that provide sign-up and sign-in options for app users.

Identity Pools: Cognito elements give users access to other AWS services (e.g., Amazon S3 and DynamoDB).

With User Pools, users can sign into an app through Amazon Cognito, social identity providers (eg, Google or Facebook), or security assertion markup language (SAML) identity providers. Each user will have a directory profile. A developer can access these profiles through the Software Development Kit (SDK). User pools can check for compromised credentials, provide email- and phone-based verification, and provide multifactor authentication (MFA) for added security. An administrator can also integrate AWS Lambda with Amazon Cognito Identity to add logic for customizable security features.

If an organization needs to provide users with access to AWS resources, they can configure an identity pool. Identity pools are federated identities that support authentication through user pools and federated identity providers, SAML identity providers, and even unauthorized identities (guest users). With identity pools, organizations can create unique identities and assign user permissions.

Identity pool and user pool can be used separately or together.

SDK Support

A mobile app developer can use the SDK to integrate with Cognito or access the server-side API directly. AWS supports Amazon Cognito in its AWS Mobile SDK, which includes libraries, code samples, and APIs to help developers use the service. The SDK is available for iOS, Android, Unity and Kindle Fire. The AWS SDK for JavaScript also supports Cognito. User pools are available in the AWS SDK for JavaScript and the AWS Mobile SDK for iOS and Android.

How Amazon Cognito Authentication Works: A 4-Step Process

Here’s how authentication works when Identity Pool and User Pool are used together:

  • User signs in through a user pool.
  • Once successfully authenticated, they receive a user pool token.
  • The app exchanges tokens for AWS credentials through an identity pool.
  • Users can use these authenticated AWS credentials to access other services in the AWS cloud.

Amazon Cognito

An overview of how Amazon Cognito Security works.

Syncing User Data with AWS Cognito Sync

AWS Cognito Sync synchronizes user profile data across mobile devices and web applications. This feature allows users to have a normalized user ID and credentials with Amazon Cognito.

The service supports Android and iOS devices with a high-end client library that caches user data locally. The latter makes the data available even if a device itself is offline.

User data persists in a data set. This data is accessible only to the credentials assigned to a particular identity. To provide user identity, Cognito Sync requires the Amazon Cognito Identity Pool.

Therefore, in order to use Amazon Cognito Sync, an organization needs to set up an identity pool.

Amazon Cognito Security & Data Protection

Security in Amazon Cognito aligns with the AWS “Shared Security” model for data security. AWS provides cloud security, while organizations are responsible for security in the cloud.

Amazon Cognito supports MFA and encrypts data at rest and in transit according to industry standards for an added layer of security. It also complies with several data protection standards and regulations, including:

  • Service Organization Control
  • ISO/IEC 27001/27017/27018
  • ISO 9001

Amazon Cognito also supports several identities and access management (IAM) capabilities, including:

  • Identity-based policies
  • Policy actions
  • Temporary credentials
  • Service roles
  • service-linked roles

Amazon Cognito

Amazon Cognito includes several identity access management capabilities.

Amazon Cognito pricing

Monthly active users (MAUs) determine the price for Amazon Cognito. A user is an MAU if any sign-up, sign-in, token refresh, or password change operation pertains to that user within a calendar month.

The first 50,000 MAUs are free. After that, the pricing is based on a tiered model based on the number of MAUs.

Charges for Cognito Sync are based on the number of synchronization operations and the amount of data Cognito Sync stores. With the AWS free tier, an enterprise can store 10GB of data and perform 1,000,000 sync operations a month for up to 12 months. Once the free tier ends, Amazon Cognito charges 15 cents per month for every GB of sync storage and 15 cents for every 10,000 sync operations.

You may also like