Cognito
On This Page
About
Amazon Cognito - Simple and Secure User Sign-Up, Sign-In, and Access Control
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
Users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.
Alternatives
- Auth0
- Microsoft Azure Active Directory
- OneLogin
- Google Cloud Identity Platform
- IBM Security Verify
- Keycloak
Terminology
Credentials: The temporary security credentials, which include an access key ID, a secret access key, and a security token.
AssumedRoleUser: The ARN and the assumed role ID, which are identifiers for the temporary security credentials that you can programatically refer to.
Price
Pay only for what you use. First 50,000 (monthly active users (MAUs) - Free.
Use Cases
Type: Identity & access management
Same type services: Identity & Access Management (IAM), Single Sign-On, Cognito, Directory Service, Resource Access Manager, Organisations
Workflow
The process of authenticating a user with Cognito is as follows:
- The user signs in with a Web ID provider (Google, Facebook, Amazon, etc.)
- The Web ID provider returns a JWT token to the user
- The user application makes an STS API call: sts assume-role-with-web-identity
- STS returns an API response with the temporary credentials
- The user application now has AWS access e.g. for S3, DynamoDB, etc.
Practice
Manage Authentication with Amazon Cognito
Questions
Q1
You are deploying Multi-Factor Authentication (MFA) on Amazon Cognito. You have set the verification message to be by SMS. However, during testing, you do not receive the MFA SMS on your device.
What action will best solve this issue?
- Use AWS Lambda to send the time-based one-time password by SMS
- Increase the complexity of the password
- Create and assign a role with a policy that enables Cognito to send SMS messages to users
- Create and assign a role with a policy that enables Cognito to send Email messages to users
Q2
A developer is adding sign-up and sign-in functionality to an application. The application is required to make an API call to a custom analytics solution to log user sign-in events
Which combination of actions should the developer take to satisfy these requirements? (Select TWO.)
- Use Amazon Cognito to provide the sign-up and sign-in functionality
- Use AWS IAM to provide the sign-up and sign-in functionality
- Configure an AWS Config rule to make the API call triggered by the post-authentication event
- Invoke an Amazon API Gateway method to make the API call triggered by the post-authentication event
- Execute an AWS Lambda function to make the API call triggered by the post-authentication event
Explanation
Amazon Cognito adds user sign-up, sign-in, and access control to web and mobile applications quickly and easily. Users can also create an AWS Lambda function to make an API call to a custom analytics solution and then trigger that function with an Amazon Cognito post authentication trigger.
1, 5