Features
-
Secure user directory - The user pool of the application is built and managed by AWS. The secure user directory is capable of handling millions of users and is easy to set up.
-
Social identity federation - Users can sign in through various social identity providers like Google, Facebook, or Apple. This provides a comfortable experience for users.
-
Multiple factor authentication - Clients can enable two-factor authentication to provide a secure environment for their users. Confirmation emails and text messages can be sent to users for authentication. Data sent is encrypted by AWS Amplify.
-
Customisable built-in UI - AWS Cognito provides a built-in customisable User Interface. This reduces the frontend load as forms for sign-in, sign-up, password recovery, federated authentication, and MFA (Multi-Factor Authentication) are built-in.
-
Access control - AWS users can define roles and map authenticated users with specific roles. This enables access control of the application resources and helps differentiate between an authenticated and a non-signed in user.
User Pools
User pools are user directories in Amazon Cognito. Application users can sign in to the web or mobile app through Amazon Cognito or through a third-party identity provider (IdP). All members of the user pool have a directory profile that the owner can access through an SDK. User pools can check for compromised credentials, provide email or phone-based verification, and offer multifactor authentication for additional security.
Identity Pools
Amazon Cognito identity pools enable clients to create unique identities for their users and federate them with identity providers. They can obtain temporary, limited-privilege AWS credentials to access other AWS services. An identity pool stores user identity data specific to the client’s account. With Amazon Cognito identity pools, one can create unique identities and assign permissions for their users. An identity pool may include:
-
Users in an Amazon Cognito user pool
-
Users who authenticate with external identity providers such as Facebook, Google or Apple.
- Users authenticated via an existing authentication process.
Amazon Cognito Console

Amazon Cognito offers a new console experience that makes it easier for customers to manage their user pools and add sign-in/sign-up functionalities to their applications. Navigate to the Amazon Cognito console to experience its latest features.
The console provides a streamlined experience based on customer feedback and guides the developers to enable sign-up and sign-in features for their applications. Customers can manage user pools and individual users. Direct access to help and documentation is now readily available.
Regional Availability
Amazon Cognito is available in multiple AWS Regions worldwide. In each Region, Amazon Cognito is distributed across multiple Availability Zones. These Availability Zones are physically isolated and are private. They have low latency, high throughput, and highly redundant network connections. The Availability Zones enable AWS users to access the Amazon Cognito service, with very high levels of availability and redundancy, while minimising latency.
Getting started with Amazon Cognito
Amazon Cognito requires an AWS account. Sign up here.
To set up user pool:
-
Create a user pool and follow the steps mentioned in the console.
-
Add an app to enable the hosted web UI
-
Add a social sign-in to a user pool. This is optional.

To set up an identity pool:
-
Create an identity pool in Amazon Cognito. Note that at least one identity is required for a valid identity pool.
-
Install the Mobile or JavaScript SDK
-
Integrate the identity providers to log in using Facebook, Google, Apple, etc.
-
Get the credentials using which the app can securely access a back end in AWS or outside AWS through Amazon API Gateway.

Pricing
To create and use a User Pool, you pay based only on the applications’ monthly active users (MAUs). A user is counted as a MAU if there is an activity related to that user, such as sign-up, sign-in, token refresh, password change, or an updated user account attribute.
For users who sign in directly with their credentials from a User Pool or with social identity from Apple, Google, Facebook and Amazon, there are volume-based pricing tiers for MAUs above the free tier. The Cognito User Pool feature has a free tier of 50,000 MAUs.
For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015. 50 MAUs for users federated through SAML 2.0 based identity providers are free.
The prices for advanced security features like SMS messages for Multi-Factor Authentication are in addition to the base prices for active users.
Get a detailed description of the Amazon Cognito Pricing here.
FAQs
What user profile information is supported by Cognito Identity?
Developers can use standard OpenID Connect-based user profile attributes such as user name, email, phone number, address, time zone, etc. It can be customised to add app-specific user attributes also.
What are unauthenticated users?
Unauthenticated users do not authenticate with any identity provider but access your app as a guest. A separate temporary IAM role for these users can be defined to provide limited permissions to access the backend resources.
Conclusion
This article extensively discusses Amazon Cognito. We hope that this blog has helped you enhance your knowledge of the features and working of Amazon Cognito for authentication and security. If you would like to learn more, check out our articles on Cloud Computing Infrastructure and Cloud Architecture. Learn more about Big Data, Microsoft Azure, AWS and Google Cloud.
Recommended Reading:
Explore our Coding Ninjas Library and upvote our blog to help other ninjas grow. Happy Coding!