Amazon Cognito

Amazon Cognito: Complete Guide for AWS Security Specialty Exam

Why Amazon Cognito Is Important

Amazon Cognito is a critical service in the AWS security ecosystem because it solves one of the most fundamental challenges in modern application development: managing user identity and access at scale. In the context of the AWS Security Specialty exam, Cognito represents the intersection of identity management, authentication, authorization, and federation — all core domains tested extensively. Understanding Cognito is essential because it is AWS's primary service for adding sign-up, sign-in, and access control to web and mobile applications, enabling secure access to AWS resources without requiring users to have IAM accounts.

What Is Amazon Cognito?

Amazon Cognito is a fully managed identity service that provides two major components:

1. Cognito User Pools
A User Pool is a user directory in Amazon Cognito. It provides sign-up and sign-in functionality for your application users. Key features include:

- User registration and sign-in: Users can register with an email, phone number, or username and sign in directly.
- Built-in sign-in UI: A customizable hosted UI for authentication flows.
- Social and enterprise identity federation: Users can sign in through third-party identity providers (IdPs) such as Google, Facebook, Amazon, Apple, or SAML 2.0 and OpenID Connect (OIDC) providers.
- Multi-Factor Authentication (MFA): Supports SMS-based and TOTP-based MFA.
- Advanced security features: Adaptive authentication, compromised credentials detection, and account takeover protection.
- Lambda triggers: Customizable workflows at various points in the authentication flow (pre-sign-up, post-confirmation, pre-token generation, custom authentication, migrate user, etc.).
- Token management: User Pools issue JSON Web Tokens (JWTs) — specifically an ID token, an access token, and a refresh token.

2. Cognito Identity Pools (Federated Identities)
Identity Pools provide temporary AWS credentials to users so they can access AWS services directly. Key features include:

- Federated identity: Users can authenticate through Cognito User Pools, social IdPs, SAML IdPs, OIDC IdPs, or even custom developer-authenticated identities.
- Unauthenticated access: Supports guest access with limited permissions by providing temporary credentials to unauthenticated users.
- IAM role mapping: Maps authenticated and unauthenticated users to different IAM roles, enabling fine-grained access control to AWS resources.
- Role-based and attribute-based access control: Supports mapping claims from identity tokens to IAM policy variables for granular permissions.

How Amazon Cognito Works

Authentication Flow with User Pools:

1. A user accesses your application and initiates sign-in.
2. The application redirects the user to the Cognito User Pool (either via the hosted UI or using the Cognito API/SDK).
3. The user provides credentials (username/password, or federated sign-in via a third-party IdP).
4. If MFA is enabled, the user completes the MFA challenge.
5. Cognito validates the credentials and returns three JWTs: an ID token (contains user identity claims), an access token (contains authorization scopes), and a refresh token (used to obtain new ID and access tokens without re-authentication).
6. The application uses the ID token to identify the user and the access token to authorize API calls (e.g., to API Gateway).

Authorization Flow with Identity Pools:

1. The user authenticates and receives tokens from a User Pool (or another IdP).
2. The application passes the token to the Cognito Identity Pool.
3. The Identity Pool validates the token with the IdP and returns temporary AWS credentials (access key, secret key, session token) via AWS STS.
4. The application uses these temporary credentials to access AWS services (S3, DynamoDB, etc.) directly.
5. The IAM role associated with the Identity Pool defines what the user can do.

Key Concepts to Understand:

- User Pools vs. Identity Pools: User Pools handle authentication (who are you?). Identity Pools handle authorization to AWS resources (what can you access?). They are often used together but serve distinct purposes.
- Token types: ID tokens contain user attributes and claims. Access tokens contain scopes and are used for API authorization. Refresh tokens are long-lived and used to get new short-lived tokens.
- Lambda Triggers: These allow you to customize authentication workflows. Common triggers include Pre Sign-up (validate or auto-confirm users), Pre Authentication (custom validation), Post Authentication (logging/analytics), Pre Token Generation (modify token claims), Custom Message (customize emails/SMS), Define Auth Challenge and Create Auth Challenge (custom authentication flows), and User Migration (migrate users from a legacy system on-the-fly).
- SAML 2.0 Federation: Cognito User Pools can act as a service provider (SP) for SAML 2.0 identity providers, enabling enterprise SSO scenarios.
- ALB Integration: Application Load Balancers can directly integrate with Cognito User Pools to authenticate users before routing requests to backend targets.
- API Gateway Integration: Cognito User Pools can serve as an authorizer for API Gateway, validating JWTs before allowing access to API resources.
- Hosted UI and Custom Domains: Cognito provides a hosted UI that supports OAuth 2.0 flows (authorization code grant, implicit grant, client credentials grant). You can configure a custom domain for the hosted UI.
- Resource Servers: You can define resource servers in Cognito with custom scopes to implement fine-grained authorization for your APIs.
- Groups: Users can be organized into groups within a User Pool, and groups can be mapped to IAM roles in Identity Pools for role-based access control.

Advanced Security Features:

- Adaptive Authentication: Cognito evaluates risk factors (device, location, IP address) for each sign-in attempt and can require additional verification for high-risk sign-ins or block them entirely.
- Compromised Credentials Detection: Cognito checks if user credentials have been compromised in public data breaches and can block sign-in or require password changes.
- Advanced security metrics: Published to CloudWatch for monitoring.

Security Best Practices:

- Always enable MFA, preferably TOTP over SMS.
- Use the authorization code grant flow with PKCE for mobile and SPA applications instead of the implicit grant.
- Configure strong password policies.
- Enable advanced security features for risk-based adaptive authentication.
- Use Lambda triggers to implement custom security logic.
- Apply least-privilege IAM roles for Identity Pool authenticated and unauthenticated users.
- Set appropriate token expiration times.
- Use AWS WAF with the Cognito hosted UI to protect against common web attacks.

Common Architectures:

- Web/Mobile App Authentication: User Pool for authentication → Identity Pool for AWS resource access.
- API Authorization: User Pool issues tokens → API Gateway uses Cognito Authorizer to validate tokens → Backend Lambda processes request.
- Enterprise SSO: Corporate IdP (SAML 2.0/OIDC) → Cognito User Pool federation → Application access.
- ALB Authentication: User request → ALB with Cognito User Pool authentication → Backend targets (only authenticated users reach your app).

---

Exam Tips: Answering Questions on Amazon Cognito

1. Distinguish User Pools from Identity Pools: This is the most commonly tested concept. If the question asks about authentication (sign-up, sign-in, user management, tokens), think User Pools. If the question asks about granting temporary AWS credentials to access AWS services like S3 or DynamoDB, think Identity Pools. Many scenarios require both working together.

2. Federation scenarios: When you see questions about allowing social login (Google, Facebook), SAML-based enterprise SSO, or OIDC federation, Cognito User Pools with federation is typically the answer. If the question involves providing direct AWS resource access after federation, Identity Pools are also needed.

3. Unauthenticated access: If a question mentions allowing guest users or anonymous users limited access to AWS resources, the answer is Cognito Identity Pools with unauthenticated roles enabled.

4. API Gateway authorization: When questions mention securing API Gateway endpoints with user authentication, think Cognito User Pool Authorizer. This is different from IAM authorization or Lambda authorizers. Cognito authorizers validate JWT tokens from User Pools.

5. ALB integration: If a question involves authenticating users at the load balancer level before they reach the application, think ALB with Cognito User Pool integration. Remember this works with the OIDC-compliant authentication flow.

6. Lambda triggers: If a question asks about customizing the authentication flow (e.g., migrating users, adding custom claims, implementing custom challenges), think Cognito Lambda triggers. Know the specific triggers: Pre Token Generation for modifying token claims, User Migration for on-the-fly migration from legacy systems, and Custom Authentication for implementing challenge-based auth.

7. MFA questions: Cognito supports SMS MFA and TOTP MFA. For exam purposes, TOTP is preferred over SMS due to SMS interception risks. Cognito can require MFA for all users or make it optional/adaptive.

8. Watch for distractors: IAM users and roles are not the right answer for end-user authentication in web/mobile apps — that is Cognito's domain. Similarly, if a question mentions millions of users or external users, Cognito (not IAM) is almost always the correct answer.

9. Token handling: Remember that User Pools issue JWTs (ID token, access token, refresh token). ID tokens are for identity. Access tokens are for authorization (scopes). Refresh tokens are for getting new tokens. Tokens are signed but not encrypted by default.

10. Attribute-based access control (ABAC): If a question asks about granting different levels of AWS resource access based on user attributes (department, role, tenant), think Identity Pools with role mapping rules or IAM policy variables that reference Cognito token claims.

11. Custom authentication flows: If a question describes a non-standard authentication method (biometrics, hardware tokens, custom challenges), think Custom Authentication Flow using Define Auth Challenge, Create Auth Challenge, and Verify Auth Challenge Lambda triggers.

12. User migration: If a question asks about migrating users from a legacy identity system to Cognito without forcing password resets, the answer is the User Migration Lambda trigger, which authenticates users against the old system during their first sign-in and seamlessly migrates them to Cognito.

13. Cognito Sync vs. AppSync: Cognito Sync (legacy) is for syncing user data across devices. In modern architectures, AWS AppSync with Cognito authorization is preferred. Do not confuse data sync with identity management.

14. Remember the limits: Cognito User Pools support up to 40 million users. Know that there are soft limits on request rates that can be increased. Identity Pools have separate quotas.

15. Security features in questions: If a question mentions detecting compromised credentials, risk-based authentication, or adaptive security, the answer is Cognito Advanced Security Features. These must be explicitly enabled and incur additional costs.