🔶
Amazon Cognito
- Service for managing user authentication, authorization, and identity for web and mobile apps.
- Supports both application login and direct AWS resource access through temporary credentials.
Cognito User Pools (CUP)
- Serverless user directory for application authentication.
- Handles:
- Username/email + password sign-in
- Password resets
- Email & phone verification
- Multi-Factor Authentication (MFA)
- Social & enterprise identity federation (Facebook, Google, SAML)
- Integrations:
- API Gateway – validates Cognito tokens before forwarding requests.
- Application Load Balancer – authenticates users before routing to target groups.
Cognito Identity Pools (Federated Identities)
- Provide temporary AWS credentials to users for direct AWS service access.
- Accept identities from:
- Cognito User Pools
- Social/enterprise identity providers
- IAM policies are applied per identity:
- Default roles for authenticated and guest users
- Fine-grained access control using identity attributes (e.g.,
user_id, sub)
Cognito vs. IAM
- Cognito:
- For applications with hundreds/thousands of mobile/web users.
- Supports SAML, social logins, and external identity providers.
- IAM:
- For managing AWS service access for AWS accounts, services, and infrastructure users.
Row-Level Security in DynamoDB
- Enforce per-user access by embedding Cognito identity attributes in IAM policy conditions.
- Example: allow a user to read/write only items in a table where the partition key equals their
sub.