Amazon Cognito
💡 Definition
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. It supports sign-up and sign-in with social identity providers (like Facebook, Google, Apple) and enterprise identity providers (like Microsoft Active Directory via SAML).
🔑 Key Concepts
- User Pools: A user directory that provides sign-up and sign-in options for your application users. It can handle user registration, authentication, account recovery, and multi-factor authentication (MFA).
- Identity Pools (Federated Identities): Enables you to grant your users access to other AWS services. It allows you to federate user identities from social IdPs (e.g., Google, Facebook) or enterprise IdPs and obtain temporary, limited-privilege AWS credentials.
- Authentication & Authorization: Manages the process of verifying user identities and controlling what actions they can perform.
- Scalability: Designed to scale to millions of users.
⚙️ How it Works
When a user signs up or signs in, Cognito handles the authentication process. If using User Pools, it manages the user directory directly. If using Identity Pools, it can federate identities from external providers. After successful authentication, Cognito provides tokens that your application can use to authorize access to your backend resources (e.g., via API Gateway or Lambda) or to grant access to AWS services (via Identity Pools).
🎯 Use Cases
- User Authentication for Mobile/Web Apps: Adding user sign-up and sign-in functionality to your applications.
- Social Sign-In: Allowing users to log in with their existing social media accounts.
- Accessing AWS Services from Frontend: Enabling authenticated users of your app to directly access specific AWS resources (e.g., upload files to S3).
- Multi-Factor Authentication (MFA): Implementing an additional layer of security for user accounts.
💰 Pricing Model
- Monthly Active Users (MAUs): Charged based on the number of unique users who authenticate or perform operations within a month.
- SMS Messages: Additional charges for sending SMS messages for MFA or verification.
📝 Exam Tips (CLF-C02)
- Keywords: "User authentication", "Web and mobile apps", "User Pools", "Identity Pools", "Social login".
- Think of Cognito as your primary service for managing user identities for your custom applications.
- It's distinct from IAM (which is for managing access to AWS resources for AWS users/services, not your application's end-users).
See Also: * IAM * AWS Amplify * API Gateway * Lambda