When you need to control access to your AWS resources, Amazon Cognito offers a variety of solutions. If you want to federate or manage identities across multiple providers, you can use Amazon Cognito user pools and device synchronization. If your app requires an authorized sign-in process before providing temporary credentials to users, then the AWS Amplify library simplifies access authentication.
Identity management for developers
Amazon Cognito is a fully managed service that makes it easy to add user sign-up and sign-in functionality to your apps. You can use Amazon Cognito to create, manage, and validate user identities within your app.
With Amazon Cognito, you can:
Easily add new users by allowing them to sign up with their email addresses or phone numbers. After signing up, you can associate them with an AWS account or provide other custom attributes like first and last names.
Automatically recognize returning customers using Amazon Cognito Sync or federated identity providers such as Facebook or Google Sign-In (GSI). This allows existing users who have been previously verified in another service provided by Amazon or one of its partners (e.g., Facebook) to be automatically recognized/identified when logging into multiple applications using different credentials.
You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your applications. You no longer have to manage user credentials in your application code.
You also get flexible integration options with other AWS services (such as Amazon S3 storage buckets), allowing you to easily build secure web applications without writing any server-side code.
Client frontend Cognito
You can create new user accounts, update existing user accounts, and reset passwords using Amazon Cognito.
With Amazon Cognito, you don’t need to write any code to manage users; instead, you can use an API that abstracts the complexities of authentication out of your application’s infrastructure. You provide the parameters for your users (such as names) or groups (for example, “members”), and Amazon Cognito handles everything else—including signing in or signing up the user on behalf of your application.
AWS amplify simplifies access authentication
AWS amplify simplifies access authentication. It’s a cloud-based service that Amazon manages, so you don’t have to worry about setting up a separate identity system or managing user credentials.
Amazon offers a free tier of amplifying, allowing you to authenticate users and control access to resources, including AWS services. In addition, the service integrates with other components of the AWS enterprise suite, such as IAM (Identity Access Management), CloudFront CDN (Content Distribution Network), CloudWatch Logs Event Notification Service, and S3 (Simple Storage Solution).
User pools and device synchronization
User pools and device synchronization are two separate features within Cognito. User pools manage user identity, while device synchronization manages device identity. They can be used together or independently of one another, but you need to choose which one works best for your organization’s needs before proceeding with the steps in this tutorial.
The following sections describe how each feature works:
User Pool Identity - This identity system allows you to create groups of users and assign them roles as needed. You can choose from predefined roles like “Admin” or “Guest” or create custom ones that best suit your organization’s needs.
Device Identity - This feature lets developers associate a user account with one or more devices, so they know which app sessions belong to which devices (and vice versa).
Federate identities within Cognito enable you to use your existing credentials to sign in and access other applications. With this feature, you can connect your AWS account with other services that support SAML 2.0 federation protocols or JWT bearer tokens for authentication.
- Federated identity is an authentication model that allows users to use their existing credentials to sign in to multiple applications.
- A federated identity provider is a third party that authenticates users and issues security tokens that can be used to access other applications.
You can use Amazon Cognito to deliver temporary, limited-privilege credentials.
Amazon Cognito is a secure and scalable user identity and access management solution that allows you to easily add user sign-up, sign-in, and access control to your website or mobile app. This can be useful if you are building an application that needs to store data in an Amazon DynamoDB table or make calls against Amazon S3 buckets.
To use Amazon Cognito to control access:
- Create an App Client ID with the appropriate permissions for your application’s use cases
- Create a Cognito User Pool containing the users who your applications will grant temporary credentials
- Generate temporary credentials for those users
When you use Amazon Cognito, instead of requesting new temporary security credentials every time they need access to AWS resources, users sign in once through a custom authentication process. They only need to provide their unique identifier for the service that authenticated them, and all subsequent requests can be made with this identifier. This means that users don’t have to enter their credentials again when accessing AWS resources from your application.
Amazon Cognito has no upfront costs.
Amazon Cognito has no upfront costs and charges based on monthly active users (MAUs). Active is defined as any unique user who accesses your app in a given calendar month.
The Amazon Cognito pricing structure is based on the number of MAUs you have, including all users who use your app without being prompted to sign in or authenticate their identity before using it.
There are lots of ways to control access to Amazon resources
There are lots of ways to control access to Amazon resources. Developers can use identity management APIs that provide robust functionality, including single sign-on (SSO), session management, and role-based access control.
To reduce the time and effort developers need to spend managing user identities, Cognito simplifies access authentication by abstracting out common tasks like implementing the web flow or sending an email message after sign-in.
In addition to providing a simpler developer experience through AWS Amplify, you can also use other tools on the AWS Marketplace, such as Cognito User Pools and Device Sync, if you want more control over your users who are authenticated within your app.