Amazon Cognito: What It Is and When to Use It

Definition

Amazon Cognito is a managed customer identity and access management (CIAM) service that handles sign-up, sign-in, social/enterprise federation, multi-factor authentication, and the exchange of user identities for temporary AWS credentials. It is composed of two distinct products that are often used together: User Pools (a user directory with authentication and JWT issuance) and Identity Pools (an STS credential broker that maps authenticated or guest identities to IAM roles).

Cognito is AWS's answer to "I need sign-up/sign-in for my web or mobile app, and I don't want to run Keycloak or build on-top-of raw IAM." It scales to tens of millions of monthly active users (MAUs) and integrates with API Gateway, Application Load Balancer, AppSync, and any service that accepts a JWT.

How It Works

User Pools

A User Pool is a user directory. It stores usernames, passwords, custom attributes, verified email/phone, and MFA settings. It offers:

• Sign-up and sign-in via email, phone, username, or custom aliases; password policies are configurable.
• Hosted UI — an AWS-hosted OAuth 2.0 / OpenID Connect authorization server with customizable branding.
• Federation — SAML 2.0 (for corporate IdPs) and OIDC (Google, Facebook, Apple, Amazon, or any OIDC provider), mapped into the User Pool's user directory.
• MFA — SMS, TOTP, or passkeys (WebAuthn); can be required, optional, or adaptive (risk-based).
• JWT tokens — on successful sign-in, Cognito issues an ID token, an access token, and a refresh token. Tokens are signed with the pool's RS256 keys (published at /.well-known/jwks.json).
• Lambda triggers — hooks at pre-signup, post-confirmation, pre-authentication, post-authentication, pre-token-generation, and more, enabling custom flows (SSO to legacy systems, adding custom claims, custom email/SMS via SES/SNS).
• Advanced security features — compromised-credential detection (checking against known-breached password lists), adaptive authentication (step-up MFA on risky sign-ins), and rich audit events.

Identity Pools

An Identity Pool (federated identities) converts an authenticated identity — from a User Pool, a SAML/OIDC IdP, Login with Amazon/Apple/Google/Facebook, or even a guest — into temporary AWS credentials via sts:AssumeRoleWithWebIdentity. You map identity provider + user attributes to IAM roles, enabling fine-grained per-user access to S3 buckets, DynamoDB tables, or any AWS API — without ever deploying a backend.

User Pools and Identity Pools are independent and often used together: the User Pool authenticates the user and returns a JWT; the Identity Pool trades that JWT for AWS credentials scoped to an IAM role.

Key Features and Limits

• Up to 40 million users per User Pool (soft quota, raisable).
• Token lifetimes — ID and access tokens: 5 minutes to 24 hours (default 1 hour). Refresh tokens: 60 minutes to 10 years (default 30 days).
• Lambda triggers — 12+ hook points covering the full auth lifecycle.
• MFA options — SMS text messages, Time-based One-Time Passwords (TOTP), passkeys (WebAuthn / FIDO2).
• Federation — SAML 2.0, OIDC, and built-in social providers (Google, Facebook, Amazon, Apple).
• User pool domains — either a custom domain (auth.example.com with an ACM certificate) or a Cognito-provided <prefix>.auth.<region>.amazoncognito.com.
• Advanced security features (ASF) — priced per MAU separately; includes compromised credentials detection and adaptive auth.
• Rate limits — category-based (e.g., UserAuthentication category 120 req/s per account per Region; raisable).
• Integration points — API Gateway JWT authorizers, ALB authenticate-cognito action, AppSync authentication, Verified Permissions (AVP) for policy-based authorization.

Common Use Cases

1. Web and mobile app user auth — sign-up/sign-in, social logins, password reset, email verification, MFA — without rolling your own auth service.
2. B2B SaaS with SSO — SAML/OIDC federation from customer IdPs (Okta, Azure AD) so enterprise users sign in with their corporate accounts.
3. API authorization — API Gateway REST and HTTP APIs validate Cognito-issued JWTs via a built-in authorizer.
4. Direct-to-AWS mobile apps — Identity Pool trades the JWT for scoped IAM credentials so a mobile client can upload to S3 or write to DynamoDB directly.
5. Serverless web apps — Amplify Auth uses Cognito under the hood for Next.js / React / Vue / iOS / Android apps.
6. ALB-protected internal apps — Application Load Balancer's authenticate-cognito action gates any downstream app (ECS, EC2) behind Cognito sign-in.

Pricing Model

Cognito is priced primarily per monthly active user (MAU) with tiered discounts:

• User Pools — MAU-based tiers starting at $0.0055 per MAU (first 50,000 free for Cognito-managed users since the 2024 pricing update; higher free tier for SAML/OIDC federated users under specific plans). Advanced Security Features cost extra (~$0.050/MAU).
• Identity Pools — free; you pay for the downstream AWS services the issued credentials touch.
• SMS charges — SMS MFA and verification messages are billed via Amazon SNS (per-message destination-country pricing). Email verification can use SES.

A free tier covers small workloads. Always check the current Cognito pricing page — AWS revised the free-tier structure in late 2024, distinguishing between Cognito-stored users, SAML/OIDC-federated users, and M2M clients.

Pros and Cons

Pros

• Turnkey CIAM — sign-up, sign-in, MFA, password reset, and hosted UI in days, not months.
• Native AWS integration: API Gateway JWT authorizer, ALB, AppSync, Amplify, Verified Permissions.
• Identity Pools make direct-to-AWS mobile apps possible without a backend.
• Lambda triggers offer deep customization without leaving the managed service.

Cons

• Hosted UI customization is limited compared with Auth0 / Okta CIC.
• Error messages from failed sign-ins are sometimes vague; debugging OIDC/SAML federation typically requires reading CloudTrail + CloudWatch carefully.
• Historically has had feature gaps (e.g., no passwordless by default until the 2024 passkey release).
• Advanced security features and SMS can meaningfully increase the bill at scale.

Comparison with Alternatives

| Feature | Amazon Cognito | Auth0 / Okta CIC | Firebase Authentication | | --- | --- | --- | --- | | Cloud tie-in | AWS-native | Multi-cloud | Google Cloud | | Direct-to-cloud credentials | Identity Pools → STS | Needs custom broker | Firebase rules | | Pricing model | MAU tiered | MAU tiered | MAU tiered | | Customization | Lambda triggers | Rules / Actions engine | Cloud Functions triggers | | Best for | AWS-heavy apps, serverless, Amplify | Cross-cloud, rich branding, B2B CIAM | Mobile + Google Cloud apps |

Exam Relevance

Cognito is commonly tested on:

• Solutions Architect Associate (SAA-C03) — choosing User Pool vs Identity Pool; gating APIs with Cognito; federating SAML IdPs.
• Developer Associate (DVA-C02) — JWT authorizers on API Gateway, Amplify Auth, Lambda triggers, refresh token flows.
• Security Specialty (SCS-C02) — federated identity patterns, advanced security features, MFA choices, mapping JWT claims to IAM roles via Identity Pools.
• Machine Learning and Data Engineer tracks occasionally reference Cognito for securing APIs in front of ML endpoints.

Classic exam trap: candidates conflate User Pools (authentication → JWTs) with Identity Pools (federated identities → AWS credentials). A question about letting a mobile app call DynamoDB directly with per-user row-level access is answered by Identity Pool + IAM role with condition keys like cognito-identity.amazonaws.com:sub — not a User Pool alone. Conversely, a question about securing an API Gateway endpoint with sign-in is answered by a User Pool with a JWT authorizer.

Frequently Asked Questions

Q: What is the difference between a Cognito User Pool and an Identity Pool?

A: A User Pool is a user directory that handles sign-up, sign-in, MFA, password reset, and federation, and issues OIDC-compliant JWTs (ID token, access token, refresh token). An Identity Pool is a credential broker that exchanges a token from a User Pool — or any supported IdP, including SAML, OIDC, Facebook, Google, Apple, or guest — for temporary AWS credentials via sts:AssumeRoleWithWebIdentity. Use a User Pool for app sign-in and API authorization; use an Identity Pool when clients must call AWS APIs directly with scoped IAM roles.

Q: How does Cognito compare to Auth0 and Firebase Authentication?

A: Cognito excels when your app lives on AWS: it ships with hosted UI, Lambda triggers, API Gateway/ALB/AppSync integrations, and Identity Pools for direct-to-AWS credentials. Auth0 / Okta Customer Identity Cloud is multi-cloud-friendly with a richer rules/actions engine, deeper extensibility, and more polished branding — but costs more per MAU and lacks a native IAM role broker. Firebase Authentication is best when you're already on Google Cloud / Firebase; it integrates tightly with Firestore security rules but doesn't federate to AWS. For AWS-heavy workloads, Cognito almost always wins on cost and integration; Auth0 often wins for complex B2B CIAM across multiple clouds.

Q: Can I customize Cognito's sign-in flow?

A: Yes, via Lambda triggers. You can hook pre-signup (e.g., whitelist email domains), post-confirmation (create a row in your DB), pre-authentication (block certain conditions), pre-token-generation (inject custom claims), custom message (override verification emails), and custom auth challenges (build passwordless or MFA flows). For client-side look-and-feel, the Hosted UI supports a custom domain, CSS, and logo; for deeper UI control, skip the Hosted UI and call the Cognito APIs directly from your frontend or use the Amplify Auth libraries.

---

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official Amazon Cognito documentation before making production decisions.