Amazon Cognito features

A customer’s first experience with your site is often through the self-registration process. Amazon Cognito provides both a customizable, pre-packaged, managed login interface to rapidly get to market and a robust set of APIs to build a fully custom self-registration solution. Users can sign-up using an email, phone number, or username for your application. The self-registration process enables users to view and update their profile data, including custom attributes. Reduce help desk calls with self-service options, such as password reset with an SMS message or email.

Amazon Cognito provides secure, tenant-based identity stores (user pools) that scale to millions of users. User pools securely store user profile data for users who sign-up directly and for federated users who sign-in with external identity providers.

The Amazon Cognito identity store is an API-based user repository. The repository and APIs support the storage of up to 50 custom attributes per user, support for different data types, and enforce length and mutability constraints. Select the required attributes that must be provided by the user prior to completion of the sign-up process.

Users can migrate into Amazon Cognito using either a batch import or just-in-time (JIT) migration. The batch user migration leverages a CSV file import process. Using the JIT migration process, an AWS Lambda trigger integrates the migration process into the sign-in workflow and can retain users' passwords.

Amazon Cognito enables B2B interactions with multi-tenant support. You can choose to reuse application integrations, access and password policies, or enforce complete tenant isolation.

Amazon Cognito secures the last mile of integration with an application. AWS AppSync, Amazon Application Load Balancers (ALBs), and Amazon API gateways have built-in policy enforcement points that provide access based on Amazon Cognito tokens and scopes.

Using Amazon Verified Permissions quick start, customers can auto-generate permissions policies, assign role-based access control based on Cognito group memberships, and enforce fine-grained authorization. Amazon Verified Permissions has a built-in token authorizer that supports Amazon Cognito ID and access tokens, including complex token-in-a-token constructs.

The credential broker for Amazon Cognito, also known as Amazon Cognito identity pools, provides single sign-on access to AWS resources such as Amazon DynamoDB, Amazon S3 buckets, AWS Lambda serverless components, and other Amazon services. Users can be dynamically mapped to different roles to support least privilege access to a service.

Using the OAuth Client Credential Flow, Amazon Cognito provides machine-to-machine authentication, ensuring a secure experience between application components.

Enrich ID and access tokens with custom attributes in the form of OAuth 2.0 scopes and claims. You can make application-specific advanced authorization decisions using custom attributes in the access token. This feature also allows you to personalize end-user experiences and improve customer engagement.

Use a data-driven approach to drive customer acquisition and retention. Launch customer outreach campaigns and track the engagement with Amazon Pinpoint. Amazon Pinpoint provides analytics for Amazon Cognito-based user activities and Amazon Cognito enriches user data for Pinpoint campaigns.

AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend with Amazon Cognito, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.

CIAM solutions are custom solutions. Amazon Cognito provides a robust set of hooks and extensions to fully customize the authentication, registration, and user migration flows. For example, the self-registration flow can be augmented with custom identity proofing and account verification checks and the login process can be extended to create custom authentication flows or modify a token before it is generated.

The Amazon Cognito SDK is available using Java, C++, PHP, Python, Golang, Ruby, .NET, and JavaScript.

With a built-in integration with AWS Web Application Firewall (AWS WAF), Amazon Cognito offers advanced bot detection features that can help to save your organization from paying for automated accounts and reduce the impact of bot attacks.

Amazon Cognito can detect and prevent, in real time, the reuse of compromised credentials as users sign-up, sign-in, or change their password. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Protect your user’s accounts and enhance their sign-in experience with adaptive authentication. When Amazon Cognito detects unusual sign-in activity, such as attempts from new locations and devices or impossible travel conditions based on IP geolocation, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request.

Amazon Cognito supports monitoring with AWS CloudTrail, Amazon CloudWatch Metrics, and Amazon CloudWatch Logs Insights. With CloudTrail you can capture API calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations. With CloudWatch metrics you can monitor, report, and take automatic actions in case of an event in near real time. With CloudWatch Logs Insights, you can configure CloudTrail to send events to CloudWatch for monitoring Amazon Cognito CloudTrail log files.

Amazon Cognito offers advanced logging for user events like sign-in, sign-up, and password changes, capturing detailed request data such as risk level, location, source IP, and user-agent. Customers can stream this event log data to Amazon CloudWatch, Amazon S3, or third-party log aggregation solutions via Amazon Kinesis Data Firehose. This enables comprehensive monitoring and analysis of user activity.

Amazon Cognito aligns with multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.