Amazon Cognito

Contributor(s): David Carty

Amazon Cognito is an Amazon Web Services (AWS) product that controls user authentication and access for mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which enables an application developer to focus on writing code instead of building and managing the back-end infrastructure. This can accelerate the mobile application development process.

Amazon Cognito collects a user's profile attributes into directories called user pools that a mobile app or web app uses to configure limited access to AWS resources. An identity pool consolidates end-user information, which client access platforms, devices and operating systems receive to organize federated identity groups. Data synchronizes with AWS when a device is online, allowing an end user to access the same information on another device. Data can also be saved locally to a SQLite database while offline before reconnecting. Amazon Cognito associates data sets with identities and saves encrypted information as key or value pairs in the Amazon Cognito sync store. Each user can save a maximum of 20 MB of data, with each individual data set containing up to 1 MB.

Content Continues Below

A developer can configure Amazon Cognito to accept streams of events as data is updated and synchronized. A mobile developer can also query data through other AWS cloud services, such as an Amazon Redshift database, Relational Database Service (RDS) instance or an Amazon Simple Storage Service (S3) file.

Using AWS Amazon Cognito.

Managing identities

An administrator can create sign-up and sign-in functionality with Amazon Cognito Identity, which comes with additional security features, such as email or phone verification and multi-factor authentication. An admin can integrate AWS Lambda with Amazon Cognito Identity to add logic for customizable security features.

Unique identifiers are created for an end user; they are generated either from public identity providers, an OpenID Connect-compatible provider or on a custom user identity system. Unauthorized guests are supported and can be added to the system at a later date, if the guest chooses to create a profile.

Amazon Cognito accepts Amazon, Facebook, Twitter, Digits and Google as public identity providers. An end user is authenticated from the identity provider, which then passes an OAuth or OpenID Connect token to Amazon Cognito. A new Cognito ID is created for the user, who is granted temporary AWS credentials with limited access.

Amazon Cognito pricing

Amazon Cognito charges are based on the number of synchronization operations and amount of data in the sync store. With the AWS free tier, an enterprise can store 10 GB of data and perform 1,000,000 sync operations in a month, for up to 12 months. Once an administrator has exhausted the free tier, Amazon Cognito charges 15 cents per GB of sync storage per month and 15 cents for every 10,000 sync operations.

Supported platforms

A mobile app developer can use a software development kit (SDK) to integrate with Cognito or directly access server-side APIs.

AWS supports Amazon Cognito in its AWS Mobile SDK, which includes libraries, code samples and APIs to help developers use the service. The SDK is available for iOS, Android, Unity and Kindle Fire. The AWS SDK for JavaScript also supports Cognito. User pools are available in the AWS SDK for JavaScript and the AWS Mobile SDK for iOS and Android.

This was last updated in April 2017

Continue Reading About Amazon Cognito

Dig Deeper on AWS compliance, governance, privacy and regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What difficulties have your enterprise faced managing user identification in an application?
In theory, this sounds like it's a magic bullet that allows developers to spend more time making great applications and less time putting in verification code and security features. Does this open the door for malicious code from other fronts? Is having AWS in charge of security a step that then makes developers have to write two sets of code depending where they're releasing their apps? e.g. For Apple you need to include all the code, for AWS you don't need the security or identification framework. Sounds complicated.

File Extensions and File Formats

Powered by: