Menu
Amazon Cognito
Developer Guide

What Is Amazon Cognito?

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.

An Amazon Cognito user pool and identity pool used together

See the diagram for a common Amazon Cognito scenario. Here the goal is to authenticate your user, and then grant your user access to another AWS service.

  1. In the first step your app user signs in through a user pool and receives user pool tokens after a successful authentication.

  2. Next, your app exchanges the user pool tokens for AWS credentials through an identity pool.

  3. Finally, your app user can then use those AWS credentials to access other AWS services such as Amazon S3 or DynamoDB.


      Amazon Cognito overview

For more examples using identity pools and user pools, see Common Amazon Cognito Scenarios.

Amazon Cognito is compliant with SOC 1-3, PCI DSS, ISO 27001, and is HIPAA-BAA eligible. For more information, see AWS Services in Scope. See also Regional Data Considerations.

Features of Amazon Cognito

User pools

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.

User pools provide:

  • Sign-up and sign-in services.

  • A built-in, customizable web UI to sign in users.

  • Social sign-in with Facebook, Google, and Login with Amazon, and through SAML and OIDC identity providers from your user pool.

  • User directory management and user profiles.

  • Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.

  • Customized workflows and user migration through AWS Lambda triggers.

For more information about user pools, see Getting Started with User Pools and the Amazon Cognito User Pools API Reference.

Identity pools

With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:

  • Amazon Cognito user pools

  • Social sign-in with Facebook, Google, and Login with Amazon

  • OpenID Connect (OIDC) providers

  • SAML identity providers

  • Developer authenticated identities

To save user profile information, your identity pool needs to be integrated with a user pool.

For more information about identity pools, see Getting Started with Amazon Cognito Identity Pools (Federated Identities) and the Amazon Cognito Identity Pools API Reference.

Getting Started with Amazon Cognito

For a guide to top tasks and where to start, see Getting Started with Amazon Cognito.

For videos, articles, documentation, and sample apps, see Amazon Cognito Developer Resources.

To use Amazon Cognito, you need an AWS account. For more information, see Using the Amazon Cognito Console.

Pricing for Amazon Cognito

For information about Amazon Cognito pricing, see Amazon Cognito Pricing.