When to use Amazon Cognito Integration with an Application Load Balancer Integration with Amazon API Gateway Integration with Amazon OpenSearch Service

Customer identity management

Customer identity and access management (CIAM) is a technology that allows organizations to manage customer identities. It provides security and an enhanced user experience for signing up, signing in, and accessing consumer applications, web portals, or digital services offered by an organization. CIAM helps you identify your customers, create personalized experiences, and determine the correct access they need for customer-facing applications and services. A CIAM solution can also help an organization meet compliance mandates across industry regulatory standards and frameworks. For more information, see What is CIAM? on the AWS website.

Amazon Cognito is an identity service for web and mobile applications that provides CIAM capabilities to businesses of any scale. Amazon Cognito includes a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens, and can also provide temporary AWS credentials. You can use Amazon Cognito to authenticate and authorize users from the built-in user directory, from a federated identity provider such as your enterprise directory, or from social identity providers such as Google and Facebook.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your web and mobile application users. Identity pools provide temporary AWS credentials to grant your users access to other AWS services.

When to use Amazon Cognito

Amazon Cognito is a good choice when you require a secure and cost-effective user management solution for your web and mobile applications. Here are some scenarios where you might decide to use Amazon Cognito:

Authentication. If you're prototyping an application or want to implement user login functionality quickly, you can use Amazon Cognito's user pools and hosted UI to speed up development. You can focus on your core application features while Amazon Cognito handles user sign-up, sign-in, and security.

Amazon Cognito supports various authentication methods, including usernames and passwords, social identity providers. and enterprise identity providers through SAML and OpenID Connect (OIDC).
User management. Amazon Cognito supports user management, including user registration, verification, and account recovery. Users can sign up and sign in with their preferred identity provider, and you can customize the registration process according to your application's requirements.
Secure access to AWS resources. Amazon Cognito integrates with IAM to provide fine-grained access control to AWS resources. You can define IAM roles and policies to control access to AWS services based on user identity and group membership.
Federated identity. Amazon Cognito supports federated identity, which allows a user to sign in by using their existing social or enterprise identities. This eliminates the need for users to create new credentials for your application, so it enhances the user experience and reduces friction during the sign-up process.
Mobile and web applications. Amazon Cognito is well-suited for both mobile and web applications. It provides SDKs for various platforms, and makes it easy to integrate authentication and access control into your application code. It supports offline access and synchronization for mobile applications, so users can access their data even when they're offline.
Scalability. Amazon Cognito is a highly available and fully managed service that can scale to millions of users. It processes more than 100 billion authentications per month.
Security. Amazon Cognito has several built-in security features, such as encryption of sensitive data, multi-factor authentication (MFA), and protection against common web attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF). Amazon Cognito also provides advanced security features such as adaptive authentication, checking for usage of compromised credentials, and access token customization.
Integration with existing AWS services. Amazon Cognito integrates seamlessly with AWS services. This can simplify development and streamline user management for functionality that relies on AWS resources.

The following diagram illustrates some of these scenarios.

Using Amazon Cognito as a customer identity and access management (CIAM)

The application authenticates with Amazon Cognito user pools and gets tokens.
The application uses Amazon Cognito identity pools to exchange tokens for AWS credentials.
The application accesses AWS services with credentials.

We recommend that you use Amazon Cognito whenever you need to add user authentication, authorization, and user management capabilities to your web or mobile applications, especially when you have multiple identity providers, require secure access to AWS resources, and have scalability requirements.

Design considerations

Create an Amazon Cognito user pool or identity pool based on your requirements.
Don't update the user profile too frequently (for example, with every sign-in request). If an update is required, store the updated attributes in an external database such as Amazon DynamoDB.
Do not use Amazon Cognito workforce identity management.
Your application should always validate JSON Web Tokens (JWTs) before trusting them by verifying their signature and validity. This validation should be done on the client side without sending API calls to the user pool. After the token is verified, you can trust the claims in the token and use them instead of making additional getUser API calls. For more information, see Verifying a JSON Web Token in the Amazon Cognito documentation. You can also use additional JWT libraries for token verification.
Enable Amazon Cognito's advanced security features only if you aren't using a CUSTOM_AUTH flow, AWS Lambda triggers for custom authentication challenges, or federated sign-in. For considerations and limitations around advanced security features, see the Amazon Cognito documentation.
Enable AWS WAF to protect Amazon Cognito user pools by using rate-based rules and combining multiple request parameters. For more information, see the AWS blog post Protect your Amazon Cognito user pool with AWS WAF.
If you want an extra layer of protection, use an Amazon CloudFront proxy for additional processing and validation of incoming requests, as explained in the AWS blog post Protect public clients for Amazon Cognito by using an Amazon CloudFront proxy.
All API calls after user sign-in should be made from backend services. For example, use AWS WAF to deny calls to UpdateUserAttribute, but then call AdminUpdateUserAttribute from the application backend instead, to update the user attribute.
When you create a user pool, you choose how users will sign in―for example, with a username, email address, or phone number. This configuration cannot be changed after the user pool is created. Similarly, custom attributes cannot be changed or removed after they are added to the user pool.
We recommend that you enable multi-factor authentication (MFA) in your user pool.
Amazon Cognito doesn't currently provide built-in backup or export functions. To back up or export your users' data, you can use the Amazon Cognito Profiles Export Reference Architecture.
Use IAM roles for general access to AWS resources. For fine-grained authorization requirements, use Amazon Verified Permissions. This permission management service natively integrates with Amazon Cognito. You can also use access token customization to enrich application-specific claims in order to determine the level of access and content available to the user. If your application uses Amazon API Gateway as an entry point, use the Amazon Cognito feature to secure Amazon API Gateway by using Amazon Verified Permissions. This service manages and evaluates granular security policies that reference user attributes and groups.You can ensure that only users in authorized Amazon Cognito groups have access to the application's APIs. For more information, see the article Protect API Gateway with Amazon Verified Permissions on the AWS Community website.
Use AWS SDKs to access user data from the backend by calling and retrieving user attributes, statuses, and group information. You can store custom app data in Amazon Cognito's user attributes and keep it synchronized across devices.

The following sections discuss three patterns for integrating Amazon Cognito with other AWS services: Application Load Balancers, Amazon API Gateway, and Amazon OpenSearch Service.

Integration with an Application Load Balancer

You can configure an Application Load Balancer with Amazon Cognito to authenticate application users, as illustrated in the following diagram.

Configuring an Application Load Balancer with Amazon Cognito for identification management

By configuring the HTTPS listener default rule, you can offload user identification to the Application Load Balancer and create an automatic authentication process. For details, see How do I set up an Application Load Balancer to authenticate users through an Amazon Cognito user pool in the AWS Knowledge Center. If your application is hosted on Kubernetes, see the AWS blog post How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps.

Integration with Amazon API Gateway

Amazon API Gateway is a fully managed, cloud-based API gateway service that makes it easy to create, publish and manage APIs at scale. It is an entry point for user traffic into the backend services. You can integrate Amazon Cognito with API Gateway to implement authentication and access control, either to protect the APIs from misuse or for any other security or business use case. You can implement authentication and access control to secure API Gateway APIs by using an Amazon Cognito authorizer, Amazon Verified Permissions, or a Lambda authorizer. The following table describes how these three approaches support authorization.

Authorizer type	Supported authorization
Amazon Cognito authorizer	Access token: scopes ID token: validity
Verified Permissions – Lambda authorizer	Verified Permissions performs token validation (signature, expiry) for the configured token. Access token: Any simple attribute, complex attributes, scopes, or groups. ID token: Any simple attribute, complex attributes, scopes, or groups. Policies can also use contextual data for zero trust authorization (for example, IP address, request context, or device fingerprint).
Custom Lambda authorizer	You can implement a custom token validation and authorization scheme.

Authorizer type

Supported authorization

Amazon Cognito authorizer

Access token: scopes

ID token: validity

Verified Permissions – Lambda authorizer

Verified Permissions performs token validation (signature, expiry) for the configured token.

Access token: Any simple attribute, complex attributes, scopes, or groups.

ID token: Any simple attribute, complex attributes, scopes, or groups.

Policies can also use contextual data for zero trust authorization (for example, IP address, request context, or device fingerprint).

Custom Lambda authorizer

You can implement a custom token validation and authorization scheme.

Amazon Cognito authorizer

You can integrate Amazon Cognito with API Gateway to implement authentication and access control, as illustrated in the following diagram. The Amazon Cognito authorizer validates the JSON Web Token (JWT) generated by Amazon Cognito and authorizes requests based on custom scopes in the access token or a valid ID token. To learn more about the implementation, see How do I set up an Amazon Cognito user pool as an authorizer on an API Gateway REST API? in the AWS Knowledge Base.

Verified Permissions – Lambda authorizer

You can use Amazon Verified Permissions to integrate Amazon Cognito or your own identity provider with API Gateway for authentication and fine-grained access control. Verified Permissions supports ID and access token validation from Amazon Cognito or any OpenID Connect (OIDC) provider and can authorize access based on simple token attributes, complex token attributes (such as arrays or JSON structures), scopes, and group memberships. To get started securing API Gateway REST APIs by using Verified Permissions, see the AWS security blog post Authorize API Gateway APIs using Amazon Verified Permissions with Amazon Cognito or bring your own identity provider and the video Amazon Verified Permissions – Quick Start Overview and Demo.

Lambda authorizer

You can use an AWS Lambda authorizer to implement a custom authorization scheme. Your scheme can use request parameters to determine the caller's identity or use a bearer token authentication strategy such as OAuth or SAML. This option provides the maximum flexibility but requires you to code the logic for securing your APIs. For more information, see Use API Gateway Lambda authorizers in the API Gateway documentation.

Integration with Amazon OpenSearch Service

You can use Amazon Cognito to secure Amazon OpenSearch Service domains. For example, if a user might need access to OpenSearch Dashboards from the internet, as illustrated in the following diagram. In this scenario, Amazon Cognito can provide access permissions, including fine-grained permissions, by mapping Amazon Cognito groups and users to internal OpenSearch Service permissions. For more information, see Configuring Amazon Cognito authentication for OpenSearch Dashboards in the OpenSearch Service documentation.

Using an Amazon Cognito to secure Amazon OpenSearch Service domains

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Machine-to-machine identity management

Generative AI