3.1.2. Amazon Cognito for User Authentication

First Principle: Amazon Cognito simplifies user authentication and authorization for web and mobile applications, providing secure user directories and enabling developers to integrate identity management at scale.

Loading diagram...

Amazon Cognito is a managed service that helps you add user sign-up, sign-in, and access control to your web and mobile apps. It eliminates the need for developers to build and manage complex user authentication systems.

• User Pools: (A user directory that provides sign-up and sign-in options for your app users.) Manages user directories and handles user registration, authentication (passwords, MFA), and account recovery. It provides JSON Web Tokens (JWTs) to your application for authenticated users.
• Identity Pools (Federated Identities): (Provide temporary AWS credentials for users who are guests (unauthenticated) or who authenticate with social identity providers or Cognito User Pools.) Allows users to obtain temporary AWS credentials to access AWS services (e.g., upload to S3, write to DynamoDB). Integrates with social identity providers (Google, Facebook, Amazon) and SAML/OIDC.
• API Gateway Integration: Easily configure API Gateway to use Cognito User Pools for authorization of API calls.

Scenario: You're developing a new mobile application that requires user sign-up, sign-in, and the ability for authenticated users to upload images directly to Amazon S3. You want a fully managed solution for identity management.

⚠️ Exam Trap: Cognito User Pool tokens (ID token, access token) expire after 1 hour by default. The refresh token lasts longer (30 days default). If a question mentions expired tokens, the answer usually involves refresh token rotation — not re-authentication.