π₯ 02. Amazon Cognito
Amazon Cognito provides authentication, authorization, and user management for your web and mobile applications.
It lets users securely sign up, sign in, and access your app β without needing to create IAM users for each one.
Cognito is built to support millions of users and integrates seamlessly with other AWS services.
π§ How It Worksβ
- A user signs up or signs in through your web or mobile application.
- The app communicates with Amazon Cognito for authentication.
- Cognito returns temporary AWS credentials (via AWS STS) that the app can use to access AWS resources securely.
π§° Common Use Casesβ
| Use Case | Description |
|---|---|
| User Sign-Up / Sign-In | Manage user registration, authentication, and password recovery. |
| Social Login | Allow login via Google, Facebook, Apple, or Amazon accounts. |
| Access Control | Provide fine-grained access to AWS resources like S3 or DynamoDB. |
| Federated Identity | Combine multiple identity providers (e.g., SAML, OIDC, enterprise directories) into one unified authentication system. |
| Component | Description |
|---|---|
| User Pools | A built-in user directory that handles sign-up, sign-in, and user profile management. |
| Identity Pools | Provide temporary AWS credentials (via STS) to authenticated users for accessing AWS resources. |
| Federated Identities | Enable users to authenticate through external identity providers (like Google, Facebook, or corporate SAML). |
π Integration with AWS STSβ
Amazon Cognito integrates with AWS Security Token Service (STS) to issue temporary, limited-privilege credentials.
This lets authenticated users securely interact with AWS resources without exposing long-term IAM credentials.
π§ Example Scenarioβ
Youβre building a mobile photo-sharing app:
- Users sign up using email, Google, or Facebook.
- Cognito authenticates them and generates temporary credentials via STS.
- Users can upload photos securely to an Amazon S3 bucket β without ever managing AWS keys.
𧩠Exam Tipβ
If you need to manage millions of app users, or allow social logins (Google, Facebook, Apple, etc.),
the right AWS service is Amazon Cognito, not IAM.
β Summary Tableβ
| Concept | Description |
|---|---|
| Service Name | Amazon Cognito |
| Purpose | Manage authentication, authorization, and access for app users |
| Key Components | User Pools, Identity Pools, Federated Identities |
| Supports Social Logins | β Yes β Google, Facebook, Apple, Amazon |
| Integrates With | AWS STS for temporary credentials |
| Ideal For | Web & mobile apps with large-scale user bases |