Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Amazon Cognito
3.
Features
3.1.
User Pools
3.2.
Identity Pools
4.
Amazon Cognito Console 
5.
Regional Availability
6.
Getting started with Amazon Cognito
7.
Pricing
8.
FAQs
8.1.
What user profile information is supported by Cognito Identity?
8.2.
What are unauthenticated users?
9.
Conclusion
Last Updated: Mar 27, 2024
Easy

Amazon Cognito

Author Yashesvinee V
0 upvote
Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction

Identity and access management, or IAM, is a security discipline that ensures the usage of resources by authorised people when they need to, without interference, from the device of their choice. The most basic authentication process involves a person entering his/her username and password into a login screen.

Amazon Cognito is an AWS service that provides authentication, authorisation, and user management for the client’s web and mobile apps. The client’s users can sign in directly using a user name and password or through a third-party application such as Facebook, Amazon, Google or Apple. 

Amazon Cognito

Authorisation and authentication are critical in ensuring that organisations can keep their networks and resources secure and protected from malicious users. Amazon Cognito keeps track of the users’ logins on multiple devices and the services they use. It helps save and synchronise end-user data, which enables application developers to focus on writing the code instead of managing the back-end infrastructure. This accelerates the mobile application development process.

Source
 

The above diagram shows the process of user authorisation, authentication and synchronisation in Amazon Cognito. There are four main steps involved.

  1. Registration - The user enters the email and password to get registered to use the application. This data gets stored in the Cognito user pool.
     
  2. Verification - A verification email or text is sent to the user. It ensures that only a valid user gets registered.
     
  3. Login - The user logs in using their credentials. AWS Cognito provides the user with a token upon successful login. The app exchanges the token for AWS credentials through an identity pool.
     
  4. Authorisation - The logged-in users will get authorised to use the resources as defined by their IAM roles. Users can use their authenticated AWS credentials to access other services in the cloud. 
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Features

  • Secure user directoryThe user pool of the application is built and managed by AWS. The secure user directory is capable of handling millions of users and is easy to set up.
     
  • Social identity federationUsers can sign in through various social identity providers like Google, Facebook, or Apple. This provides a comfortable experience for users.
     
  • Multiple factor authentication - Clients can enable two-factor authentication to provide a secure environment for their users. Confirmation emails and text messages can be sent to users for authentication. Data sent is encrypted by AWS Amplify.
     
  • Customisable built-in UI AWS Cognito provides a built-in customisable User Interface. This reduces the frontend load as forms for sign-in, sign-up, password recovery, federated authentication, and MFA (Multi-Factor Authentication) are built-in. 
     
  • Access control - AWS users can define roles and map authenticated users with specific roles. This enables access control of the application resources and helps differentiate between an authenticated and a non-signed in user.

User Pools

User pools are user directories in Amazon Cognito. Application users can sign in to the web or mobile app through Amazon Cognito or through a third-party identity provider (IdP). All members of the user pool have a directory profile that the owner can access through an SDK. User pools can check for compromised credentials, provide email or phone-based verification, and offer multifactor authentication for additional security. 

Identity Pools

Amazon Cognito identity pools enable clients to create unique identities for their users and federate them with identity providers. They can obtain temporary, limited-privilege AWS credentials to access other AWS services. An identity pool stores user identity data specific to the client’s account. With Amazon Cognito identity pools, one can create unique identities and assign permissions for their users. An identity pool may include:

  • Users in an Amazon Cognito user pool
     
  • Users who authenticate with external identity providers such as Facebook, Google or Apple.
     
  • Users authenticated via an existing authentication process.

Amazon Cognito Console 


Amazon Cognito offers a new console experience that makes it easier for customers to manage their user pools and add sign-in/sign-up functionalities to their applications. Navigate to the Amazon Cognito console to experience its latest features. 

The console provides a streamlined experience based on customer feedback and guides the developers to enable sign-up and sign-in features for their applications. Customers can manage user pools and individual users. Direct access to help and documentation is now readily available.

Regional Availability

Amazon Cognito is available in multiple AWS Regions worldwide. In each Region, Amazon Cognito is distributed across multiple Availability Zones. These Availability Zones are physically isolated and are private. They have low latency, high throughput, and highly redundant network connections. The Availability Zones enable AWS users to access the Amazon Cognito service, with very high levels of availability and redundancy, while minimising latency.

Getting started with Amazon Cognito

Amazon Cognito requires an AWS account. Sign up here.

To set up user pool:

  1. Create a user pool and follow the steps mentioned in the console.
     
  2. Add an app to enable the hosted web UI
     
  3. Add a social sign-in to a user pool. This is optional. 
     

To set up an identity pool:

  • Create an identity pool in Amazon Cognito. Note that at least one identity is required for a valid identity pool.
     
  • Install the Mobile or JavaScript SDK
     
  • Integrate the identity providers to log in using Facebook, Google, Apple, etc.
     
  • Get the credentials using which the app can securely access a back end in AWS or outside AWS through Amazon API Gateway.

 

Pricing

To create and use a User Pool, you pay based only on the applications’ monthly active users (MAUs). A user is counted as a MAU if there is an activity related to that user, such as sign-up, sign-in, token refresh, password change, or an updated user account attribute. 

For users who sign in directly with their credentials from a User Pool or with social identity from Apple, Google, Facebook and Amazon, there are volume-based pricing tiers for MAUs above the free tier. The Cognito User Pool feature has a free tier of 50,000 MAUs.

For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015. 50 MAUs for users federated through SAML 2.0 based identity providers are free.

The prices for advanced security features like SMS messages for Multi-Factor Authentication are in addition to the base prices for active users.

Get a detailed description of the Amazon Cognito Pricing here.

FAQs

What user profile information is supported by Cognito Identity?

Developers can use standard OpenID Connect-based user profile attributes such as user name, email, phone number, address, time zone, etc. It can be customised to add app-specific user attributes also.

What are unauthenticated users?

Unauthenticated users do not authenticate with any identity provider but access your app as a guest. A separate temporary IAM role for these users can be defined to provide limited permissions to access the backend resources.

Conclusion

This article extensively discusses Amazon Cognito. We hope that this blog has helped you enhance your knowledge of the features and working of Amazon Cognito for authentication and security. If you would like to learn more, check out our articles on Cloud Computing Infrastructure and Cloud Architecture. Learn more about Big DataMicrosoft AzureAWS and Google Cloud.

Recommended Reading:

Explore our Coding Ninjas Library and upvote our blog to help other ninjas grow. Happy Coding!

Next article
AWS Cloud Directory
Live masterclass