Fully managed authentication, authorization, and user management service designed for use with web and mobile apps.

Users can sign in directly with a username and password or through a third party, such as Facebook, Amazon, or Google

Two main components: 

1. User pools: User directories that provide sign-up and sign-in options for your app users

   1. Users can also sign in through social identity providers such as Google, Facebook, Login for Amazon, or Sign in with Apple, and through SAML 2.0 identity providers. 

2. Identity pools: Enable you to grant your users access to other AWS services

   1. AWS credentials

   2. Federated identities

   3. Unauthenticated guests

User and identity pools can be used separately or together

Because Google federated identities work for both Android and IOS .

If you're allowing unauthenticated users, you can retrieve a unique Amazon Cognito identifier (identity ID) for your end-user immediately. 

Supports multiple login providers

Amazon Cognito has a synchronization feature that you can use to synchronize any changed data on one device to all other devices owned by the user.

The Amazon Cognito Streams feature enables you to automatically stream user state data from Amazon Cognito to Amazon Kinesis which can then be streamed to a data warehouse tool such as Amazon Redshift for further analysis. 

1. By doing that, you can do real-time processing on changes users are making to that data. This data is visualized on powerful dashboards that you can use to gain insights about how your users are using your applications.

2. Steps:

   1. Click the name of the identity pool

   2. Click Manage Identity Pools. The Manage Federated Identities page appears.

   3. Click Cognito Streams to expand it.

   4. In the Stream name dropdown menu, select the name of an existing Kinesis stream. Alternatively, click Create stream to create one, entering a stream name and the number of shards.

   5. In the Publish role dropdown menu, select the IAM role that grants Amazon Cognito permission to publish your stream. Click Create role to create or modify the roles associated with your identity pool.

   6. Click Save Changes.

The Amazon Cognito Events feature enables you to intercept changes made to an Amazon Cognito dataset. 

1. Trigger an AWS Lambda function so that you can make business logic decisions and modify the data when necessary.

You also have programmatic access to the sync store so that you can make changes to the data stored in Amazon Cognito on behalf of your users on an as-needed basis.

Your application users can sign in directly through a user pool, or federate through a third-party IdP. 

The user pool manages the overhead of handling the tokens that are returned from social sign-in through Facebook, Google, and Login with Amazon, and from OIDC and SAML IdPs. 

With the built-in hosted web UI, Amazon Cognito provides token handling and management for authenticated users from all identity providers, so your backend systems can standardize on one set of user pool tokens.

User gets authenticated by SAML-based third-party identity provider & gets a token. 

1. Amazon Cognito identity pool provides AWS credentials based upon these tokens. 

2. Applications can access AWS services using these credentials. 

3. Tokens provided by these servers will be exchanged with the Amazon Cognito identity pool to get AWS credentials. 

4. Using these credentials, authenticated users accessing this web application will be able to upload data to Amazon DynamoDB.
   
   

Identity store

1. An identity store for all your apps and users. 

2. Your users can sign in through the following:

   1. Social identity providers such as Google, Facebook, and Login with Amazon

   2. Enterprise identity providers, such as Microsoft Active Directory, using SAML 2.0

Access control

1. With Amazon Cognito identity pools, you can create methods to grant user access to your AWS resources.

Support of multiple compliance programs

1. Advanced security features to protect your users.

Integration (Op)

1. Integration with AWS services

2. Integration with external identify providers (IdPs) such as Google, Facebook, Sign in with Apple)

3. Microsoft Active Directory integration

Security (Op)

1. Data encrypted at rest and in transit; compliant with standards such as the following:

   1. Payment card industry ( PCI) data security standards (DSS)

   2. System and Organization Controls (SOC)

   3. International Organization for Standardization (ISO) 9001

2. Standards-based authentication (OAuth 2.0, SAML 2.0, OpenID Connect)

3. Multi-factor authentication (MFA)

A user pool is a user directory in Amazon Cognito. 

With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. 

Your users can also sign in through social identity providers like Facebook or Login with Amazon, and through SAML identity providers. 

Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. 

Choose how the user will sign in, such as options for verifying email, phone number, or user name.

Sign-up and sign-in services.

A built-in, customizable web UI to sign in users.

Customized workflows and user migration through Lambda triggers.

User directory management and user profiles.

Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.

1. Each user needs at least one MFA factor such as SMS or TOTP set up to sign in. 

Require attributes for signing up and creating a user profile, such as email, birthdate, picture, custom attributes, and more.

Specify policies (for example, password strength, require administrator for signup, and set expiration of temp passwords).

Handles the IdP interactions for you

Provides profiles to manage users

Provides OIDC Connect and OAuth2.0 standard tokens

Priced per monthly active user

Enable multi-factor authentication (MFA) and remembering user devices.

Set options for recovering user accounts.

Set options for sending (SMS) and custom emails.

Add tags so that you can categorize and manage user pools.

Specify application clients with access to the user pool. App clients will receive a unique ID and an optional secret key to access the user pool.

Set up customized workflows with triggers. You can select AWS Lambda functions to run with certain events (for example, pre-sign-up, post authentication). 

Attributes

1. Attributes are pieces of information that help you identify individual users, such as name, email, and phone number. 

2. You get a set of default attributes, called standard attributes, with all user pools. 

3. You can also add custom attributes to your user pool definition in the AWS Management Console.

Groups

1. Use groups to create collections of users to manage their permissions or to represent different types of users.

2.  You can assign an (IAM) role to a group to define the permissions for members of a group.

3. Because a user can belong to more than one group, each group can be assigned a precedence. 

4. Zero is the top precedence value. 

5. Groups with  over groups with higher or null precedence values. 

6. If a user belongs to two or more groups, the group with the lowest precedence value has the IAM role applied to the cognito:preferred_role claim in the user's ID token.

Scope

1. A level of access that an application can request to a resource. 

2. Developers can create their own OAuth 2.0 resource servers and define custom scopes in them. Custom scopes can then be associated with a client. 

3. Custom scopes are added in the scope claim in the access token. 

Token

1. Amazon Cognito tokens are of JSON Web Token (JWT) format. JWT tokens have three sections:

   1. Header – How to verify a token with encryption algorithm (alg) and the key ID (kid).

   2. Payload – Encoded information about the claim of the key. 

      1. The ID token contains encoded user information, such as cognito: username, email, or phone number. 

      2. The access token contains information about the authenticated user, including cognito: groups, username, and scope.

      3. Sections:

         1. Sub – Unique identifier for authenticated user

         2. Aud – client_id that is used in the user authentication

         3. token_use– Purpose of the token, such as ID

         4. auth_time– When the authentication occurred

         5. origin_jti– JWT identifier that indicates where the authentication happened.

         6. Jti – Unique identifier of the JWT token

   3. Signature – Calculated based on the header and payload of the token.

2. Token Example:

   1. ////Header////

   2. {

   3.     "kid" : "1234example="

   4.     "alg" : "RS256",

   5. }

   6. ////Payload////

   7. {

   8.     "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",

   9.     "aud": "xxxxxxxxxxxxexample",

   10.     "email_verified": true,

   11.     "token_use": "id",

   12.     "auth_time": 1500009400,

   13.     "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",

   14.     "cognito:username": “StudentA",

   15.     "exp": 1500013000,

   16.     "given_name": "StudentA",

   17.     "iat": 1500009400,

   18.     "email": "StudentA@example.com",

   19. "jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",

   20.     "origin_jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

   21. }

   22. ////Signature////

   23. HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret})

With identity pools, you can authenticate users through an external identity provider. 

Identity pools provide temporary security credentials to access your application’s backend resources in AWS or any service behind Amazon API Gateway. 

Exchanges tokens from authenticated users for AWS credentials to access resources such as Amazon S3 or Amazon DynamoDB.

To manage permissions, you can define rules for mapping users to different IAM roles.

1. The match type can be Equals, NotEqual, StartsWith, or Contains. 

2. Rules are evaluated in order, and the IAM role for the first matching rule is used, unless CustomRoleArn is specified to override the order.  

Provides an ID to uniquely identify users.

Provides AWS credentials for accessing resources on behalf of users

Supports rules to map users to different IAM roles

Credentials can be provided to federation authenticated guests and users

Free to use

Creating and configure a user pool

1. Use the Amazon Cognito console, CLI/SDK, or API to create a user pool.

   1. You need user pool ID, client ID, and any client secret (if set any) for the rest of the configuration.

2. Use the API Gateway console, CLI/SDK, or API to create an API Gateway authorizer of COGNITO_USER_POOLS authorizer type with the chosen user pool.

3. Use the API Gateway console, CLI/SDK, or API to enable the authorizer on selected API methods. 

   1. For Token source, use Authorization as the header name to pass the identity or access token that is returned by Amazon Cognito when a user signs in successfully.

4. Use the API Gateway Console or third-party tools to test the invocation by supplying an identity token that's provisioned from the user pool. 

Calling API methods

1. Use the Amazon Cognito CLI/SDK or API to sign a user into the chosen user pool, and obtain an identity token or access token.

2. Use a client-specific framework to call the deployed API Gateway API and supply the appropriate token in the Authorization header.

3. API Gateway validates tokens with the Amazon Cognito user pool.

4. Invoke backend AWS services.

Based on the Amazon Cognito security architecture, your application connects to an identity provider (IdP) to get an access token to identify your user. 

The IdP can be Facebook, Login with Amazon, Google+. Or you can use you own IdP or any OpenID Connect (OIDC) compatible source.

This token is then passed to an Amazon Cognito identity pool and exchanged for a short-lived AWS access token. 

This action allows your application to assume an IAM role and inherit the permissions granted to that particular role.  

When authenticated, your application can do anything that the IAM role grants permission to do; for example, access DynamoDB or Amazon S3 directly, if you allow it.

Amazon Cognito also assigns an Amazon Cognito identifier similar to this, which uniquely identifies the user for the lifetime of the application.

Content