Amazon Cognito - AWS GovCloud (US)

Amazon Cognito

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.

How Amazon Cognito Differs for AWS GovCloud (US)

Below listed are the differences between the AWS GovCloud (US) and the standard AWS Regions.

  • Advanced Security Features of User Pools is not supported in the AWS GovCloud (US).

  • Pinpoint integration with User Pools is not suported in the AWS GovCloud (US).

  • Custom domains for User Pools is not supported in the AWS GovCloud (US).

The IAM roles you configure to be used with Cognito identity pools must have a trust policy that allows Cognito to use them. In AWS GovCloud, those policies use the name for Cognito identity pools, as shown in the example policy below.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "Federated":"" }, "Action":"sts:AssumeRoleWithWebIdentity", "Condition":{ "StringEquals":{ "":"us-east-1:12345678-corner-cafe-123456790ab" }, "ForAnyValue:StringLike":{ "":"unauthenticated" } } } ] }

Documentation for Amazon Cognito

Amazon Cognito documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

Passwords and software token MFA seeds.

Amazon Cognito metadata may be moved or stored outside of the AWS GovCloud (US) Region, or, in rare cases, accessed by certain AWS support personnel and system administrators who are not U.S. citizens.

For example, user pool domains, custom attribute names, resource server identifiers and custom scopes may be included as part of the public Cognito sign-in and sign-up functionality.