This chapter covers Amazon Cognito, a fully managed identity and access management service for web and mobile applications. For the CLF-C02 exam, this falls under Domain 2: Security and Compliance, Objective 2.2: Define the AWS shared responsibility model. While Cognito is not the primary focus of this objective, understanding its role in user authentication and authorization is essential for security-related questions. This objective carries approximately 10-15% of the exam, and Cognito appears in a few questions, often contrasted with IAM or other identity services.
Jump to a section
Imagine a large hotel with multiple entrances, floors, and amenities like the gym, pool, and executive lounge. As a guest, you receive a key card at check-in. This card is like Amazon Cognito: it manages your identity and authorizes access to specific areas. The front desk (Cognito User Pools) verifies who you are by checking your ID and booking. Once verified, they encode the card with permissions for your room, the pool, and the gym, but not the staff-only areas. If you want to use the business center, you might need a separate card from the concierge (Cognito Identity Pools) that grants temporary access. The hotel's central system (AWS IAM) doesn't need to know every guest; it just trusts the key card. If you lose your card, the front desk can revoke it and issue a new one without changing the locks. Similarly, Cognito handles authentication and authorization separately from your backend systems, allowing you to add user registration, sign-in, and access control to your apps quickly. The card's expiration (token expiry) ensures that even if stolen, it's only useful for a limited time. This separation of identity management from your application logic is the core mechanism of Amazon Cognito.
What is Amazon Cognito and the Problem It Solves
Amazon Cognito is a fully managed service that provides identity, authentication, and authorization for web and mobile applications. The core problem it solves is: how do you securely add user sign-up, sign-in, and access control to your application without building and maintaining your own user database, password hashing, multi-factor authentication, and session management? In a traditional on-premises environment, you would need to set up a directory service like Active Directory, implement a custom authentication system, or integrate with third-party identity providers. This is complex, error-prone, and requires ongoing security patching. Cognito offloads this heavy lifting to AWS.
Cognito is composed of two main components: User Pools and Identity Pools. User Pools handle authentication — they are user directories that manage sign-up, sign-in, password resets, and multi-factor authentication (MFA). Identity Pools provide temporary AWS credentials to access other AWS services like S3 or DynamoDB, based on the user's identity from a User Pool or another identity provider (e.g., Facebook, Google, SAML). Together, they allow you to implement a complete identity and access management solution for your applications.
How It Works — The Mechanism
When a user signs up for your app, Cognito User Pools stores their profile in a secure, scalable directory. You can configure the sign-up process to require email or phone verification, set password policies, and enable MFA. Behind the scenes, Cognito handles the cryptographic operations for password hashing and token generation. Upon successful authentication, Cognito returns three JSON Web Tokens (JWTs): an ID token, an access token, and a refresh token. The ID token contains user attributes (e.g., email, name). The access token is used to authorize API requests to your backend. The refresh token has a longer lifetime (default 30 days) and is used to get new ID and access tokens without requiring the user to sign in again.
Identity Pools work differently. They are not user directories; they are authorization brokers. You define one or more identity providers (e.g., a User Pool, a public provider like Facebook, or an OpenID Connect provider). When a user authenticates through one of these providers, the Identity Pool exchanges the provider's token for temporary AWS credentials (access key, secret key, session token) via the AWS Security Token Service (STS). These credentials have a configurable expiration (default 1 hour) and are scoped to an IAM role that you define. This role can grant permissions to access specific AWS resources, like read-only access to an S3 bucket. This avoids hardcoding AWS credentials in your application.
Key Tiers, Configurations, and Pricing
Cognito User Pools offers two tiers: Lite and Essentials. The Lite tier is free for the first 50,000 Monthly Active Users (MAUs) and includes basic features like sign-up, sign-in, and password reset. The Essentials tier (paid) adds advanced security features like adaptive authentication, compromised credentials detection, and risk-based MFA. Pricing is per MAU, with lower rates for higher volumes. For example, the first 1,000 MAUs are free, then $0.0055 per MAU for the next 50,000, and so on. Identity Pools are free for the first 100,000 authenticated users per month, and $0.0025 per authenticated user thereafter. Unauthenticated access (guests) is also free for the first 100,000, then $0.0025 per unauthenticated user.
Key configurations include: - App client settings: Each app (web, iOS, Android) needs a unique app client ID and optional client secret. - Domain: You can use a Cognito-provided domain (e.g., your-domain.auth.us-east-1.amazoncognito.com) or a custom domain for the hosted UI. - Triggers: You can invoke AWS Lambda functions during sign-up, sign-in, etc., to customize workflows (e.g., adding custom validation). - Federation: You can integrate with SAML, OIDC, and social identity providers.
Comparison to On-Premises or Competing Approaches
On-premises, you might use Active Directory Federation Services (AD FS) or a custom authentication system with a SQL database. This requires managing server infrastructure, patching, scaling, and implementing security best practices like password hashing and session management. Cognito is fully managed, scales automatically, and integrates with other AWS services. However, it is a shared responsibility: AWS manages the service infrastructure, but you are responsible for configuring it securely — e.g., setting strong password policies, enabling MFA, and properly scoping IAM roles in Identity Pools.
Compared to third-party identity providers like Auth0 or Okta, Cognito is tightly integrated with AWS, making it easier to grant access to AWS resources. However, it may have fewer customization options for the user interface or advanced identity workflows. For the CLF-C02 exam, you should know that Cognito is the recommended service for adding authentication to your mobile or web app on AWS.
When to Use Cognito vs Alternatives
Use Cognito User Pools when you need a built-in user directory for your app, with features like sign-up, sign-in, MFA, and password recovery. It's ideal for consumer-facing applications where users create accounts.
Use Cognito Identity Pools when you need to grant temporary AWS credentials to authenticated users (from any identity provider) or unauthenticated (guest) users to access AWS services like S3 or DynamoDB.
Use AWS IAM for managing access for AWS users, groups, and roles within your AWS account (e.g., administrators, developers). IAM is not designed for application users.
Use AWS Directory Service for integrating with existing Microsoft Active Directory or for creating a managed directory in the cloud. This is for enterprise scenarios where you need to authenticate corporate users.
Use Amazon API Gateway with Lambda authorizers if you need custom authorization logic for APIs. Cognito can be used as an authorizer for API Gateway, but you can also implement custom JWT validation.
On the exam, you may see questions that ask which service to use for customer-facing user sign-up. The answer is Amazon Cognito. Another common question: how to grant a mobile app user temporary access to an S3 bucket. The answer is Cognito Identity Pools.
Create a User Pool
First, you create a User Pool in the AWS Management Console, AWS CLI, or via CloudFormation. You configure the pool name, password policy (e.g., minimum length 8, require numbers and special characters), MFA settings (optional, can be SMS or TOTP), and attributes required for sign-up (e.g., email, phone). You also set up the hosted UI for sign-in pages. Behind the scenes, Cognito provisions a secure directory and generates a pool ID (e.g., us-east-1_abc123) that your app uses to reference the pool.
Configure App Client
Next, you create an app client for each platform (web, iOS, Android). You set an app client name and optionally generate a client secret for server-side apps. For mobile apps, you disable client secret because it can't be stored securely. You also configure allowed OAuth flows (e.g., authorization code grant for server-side, implicit grant for client-side) and callback URLs. The app client ID (e.g., 1234567890abcdef) is embedded in your app.
User Signs Up and Confirms
Your app calls the Cognito API (e.g., SignUp) with the user's chosen username, password, and attributes. Cognito creates an unconfirmed user entry in the pool and sends a verification code via email or SMS (based on your configuration). The user enters the code, and your app calls ConfirmSignUp. Cognito marks the user as confirmed. If you configured auto-verification, the user is automatically confirmed. The user profile is now stored in Cognito's secure directory.
User Signs In and Gets Tokens
The user signs in via the hosted UI or your custom UI using the InitiateAuth API. Cognito validates the credentials, checks for MFA if enabled, and returns three JWTs: ID token, access token, and refresh token. The ID token contains claims like sub (unique user ID), email, and custom attributes. The access token is used to authorize requests to your backend. The refresh token has a longer expiry (default 30 days) and can be used to get new tokens without re-authentication.
Exchange Tokens for AWS Credentials
If your app needs to access AWS resources (e.g., upload to S3), you use Cognito Identity Pools. You create an Identity Pool and configure it to trust the User Pool as an identity provider. Your app calls the GetId API with the User Pool's ID token to get an identity ID, then calls GetCredentialsForIdentity to exchange the token for temporary AWS credentials (access key, secret key, session token). These credentials are valid for a configurable duration (default 1 hour). The app then uses these credentials to make signed AWS API calls.
Scenario 1: Mobile Gaming App with User Accounts A game development company wants to allow players to create accounts, save progress, and compete on leaderboards. They use Cognito User Pools for user sign-up and sign-in, with email verification and optional MFA for high-value accounts. The game client authenticates users and receives tokens. To save game state to DynamoDB, the client uses Cognito Identity Pools to obtain temporary AWS credentials scoped to an IAM role that allows write access to a specific DynamoDB table. The role also allows read access to a leaderboard S3 bucket. This eliminates the need to embed long-term AWS credentials in the mobile app. Cost: For 100,000 MAUs, User Pools are free under the Lite tier; Identity Pools cost ~$0.25 per month. Misconfiguration: If the IAM role is too permissive (e.g., full DynamoDB access), a malicious user could delete all data. The team uses IAM policy conditions to restrict access to only the user's own records.
Scenario 2: Enterprise Web App with SAML Federation A large enterprise has an existing SAML 2.0 identity provider (e.g., Okta) for employee authentication. They are building a new internal web app on AWS and want to reuse the corporate credentials. They set up Cognito User Pools as a SAML federation provider. When an employee accesses the app, they are redirected to the corporate IdP for login. After successful authentication, Cognito creates a user profile and returns tokens. The app's backend uses the access token to authorize API calls. This avoids duplicating user directories and simplifies compliance. The team also enables adaptive authentication to detect suspicious logins. Cost: Enterprise pricing for Essentials tier applies. Misconfiguration: If the SAML metadata is not updated after IdP changes, federation breaks; the team uses AWS Secrets Manager to store metadata and automate updates.
Scenario 3: Public API with Guest Access A startup offers a public API for weather data. They want to allow unauthenticated users (guests) to access a limited tier, while registered users get higher quotas. They use Cognito Identity Pools with two IAM roles: one for unauthenticated users (guest) with read-only access to a public S3 bucket, and one for authenticated users with read access to a premium bucket and write access to a support ticket table. Unauthenticated users call GetId without a token and receive credentials scoped to the guest role. Authenticated users use a User Pool token. This scales automatically. Cost: The first 100,000 unauthenticated users per month are free. Misconfiguration: If the guest role has write permissions, malicious users could upload malware. The team restricts guest role to read-only and uses AWS WAF to block common attacks.
What CLF-C02 Tests For Objective 2.2 (Shared Responsibility Model), the exam expects you to understand that Cognito is a managed service where AWS handles the infrastructure security (e.g., encryption at rest, token signing), and the customer is responsible for configuration (e.g., password policies, MFA, IAM role scoping). Questions may ask: 'Which AWS service should you use to add user sign-up to a mobile app?' or 'How do you grant temporary AWS credentials to a mobile app user?' The answer is Amazon Cognito. You may also see comparisons with IAM (for internal users) and AWS Directory Service (for AD integration).
Common Wrong Answers and Why 1. AWS IAM: Candidates choose IAM because they think 'identity and access management' is the same. But IAM is for managing AWS users and roles within your account, not for application users. IAM users have long-term credentials and are not suitable for millions of app users. 2. AWS Directory Service: Candidates confuse directory services with user pools. Directory Service is for managing Microsoft AD or LDAP directories, not for consumer sign-up. It's for enterprise identity federation. 3. Amazon API Gateway: Some think API Gateway handles authentication because it can integrate with Lambda authorizers. But API Gateway itself does not manage user directories; it delegates authentication to Cognito or a custom authorizer. 4. AWS STS alone: STS issues temporary credentials, but it requires an identity source. Cognito Identity Pools use STS behind the scenes. The exam asks for the service that provides the end-to-end solution.
Specific Terms and Values - User Pools: 'MAU' (Monthly Active Users), 'Lite' vs 'Essentials' tiers. - Identity Pools: 'Authenticated' vs 'Unauthenticated' access, 'GetId' and 'GetCredentialsForIdentity' APIs. - Tokens: 'JWT' (JSON Web Token), 'access token', 'ID token', 'refresh token' (30-day default expiry). - Federation: 'SAML 2.0', 'OpenID Connect', 'social identity providers' (Facebook, Google, Amazon). - Integration: 'API Gateway Cognito authorizer', 'ALB with Cognito authentication'.
Tricky Distinctions - User Pools authenticate; Identity Pools authorize. A common scenario: first use User Pools to sign in, then use Identity Pools to get AWS credentials. - Cognito can be used for both web and mobile apps; it's not limited to mobile. - Cognito supports both user pools (built-in directory) and federation (external IdPs). You can use both simultaneously.
Decision Rule for Multiple Choice If the question involves 'user sign-up', 'sign-in', 'application users', or 'customer-facing authentication', eliminate IAM and Directory Service. If the question involves 'temporary AWS credentials for app users', eliminate IAM and STS alone. The correct answer is almost always Amazon Cognito.
Amazon Cognito is a fully managed identity service for web and mobile applications, consisting of User Pools (authentication) and Identity Pools (authorization).
User Pools provide user sign-up, sign-in, MFA, and JWT tokens; Identity Pools exchange tokens for temporary AWS credentials via STS.
Cognito User Pools offers a free tier for the first 50,000 MAUs (Lite tier); Identity Pools are free for the first 100,000 authenticated users per month.
On the CLF-C02 exam, Cognito is the correct answer for questions about customer-facing user authentication and granting temporary AWS access to app users.
Cognito is not a replacement for IAM; IAM is for internal AWS users, while Cognito is for application users.
Cognito supports federation with SAML, OIDC, and social identity providers, enabling single sign-on (SSO) for enterprise apps.
Common wrong answers on the exam include IAM, Directory Service, and API Gateway; eliminate them by focusing on the specific use case (app user vs. AWS user).
These come up on the exam all the time. Here's how to tell them apart.
Amazon Cognito User Pools
Designed for application users (customers, employees).
Provides user directory, sign-up, sign-in, MFA.
Returns JWTs for authentication.
Managed service, no servers to manage.
Integrates with social and SAML identity providers.
AWS IAM
Designed for AWS account users (admins, developers, services).
Manages users, groups, roles, and policies.
Returns long-term access keys or temporary credentials via STS.
Part of AWS account security, not for app authentication.
Does not support social login or user self-registration.
Amazon Cognito Identity Pools
Provides a complete solution for federated identity.
Integrates with multiple identity providers out of the box.
Manages guest (unauthenticated) access.
Automatically assumes IAM roles based on provider.
Returns credentials with configurable expiration.
AWS STS (Security Token Service)
Low-level service to issue temporary credentials.
Requires you to handle identity federation manually.
Does not support guest access directly.
You must call AssumeRoleWithWebIdentity or similar APIs.
Credentials expire (default 1 hour) but you manage the logic.
Mistake
Cognito is only for mobile apps.
Correct
Cognito supports both web and mobile applications. It provides a hosted UI that works in browsers and SDKs for iOS, Android, JavaScript, and more.
Mistake
Cognito Identity Pools replace IAM roles.
Correct
Identity Pools use IAM roles. You define IAM roles that are assumed by authenticated or unauthenticated users. Identity Pools are a broker that exchanges tokens for temporary credentials based on those roles.
Mistake
Cognito stores passwords in plaintext.
Correct
Cognito hashes passwords using strong cryptographic algorithms (bcrypt) and never stores them in plaintext. It also supports encryption at rest for user attributes.
Mistake
Cognito User Pools can be used without Identity Pools to access AWS services.
Correct
User Pools only handle authentication and return tokens. To access AWS services like S3 or DynamoDB, you need Identity Pools to exchange those tokens for AWS credentials. Alternatively, you can use the tokens to authorize API Gateway calls, which then access AWS services on your behalf.
Mistake
Cognito is free for unlimited users.
Correct
Cognito User Pools has a free tier for the first 50,000 MAUs (Lite tier). Beyond that, or if you need advanced features (Essentials tier), you pay per MAU. Identity Pools are free for the first 100,000 authenticated and 100,000 unauthenticated users per month.
Cognito User Pools handle authentication: they store user profiles, manage sign-up/sign-in, and issue JWTs. Identity Pools handle authorization: they take tokens from any identity provider (including User Pools) and exchange them for temporary AWS credentials to access resources like S3 or DynamoDB. In short, User Pools answer 'who are you?', Identity Pools answer 'what can you do?'
Yes, you can federate with an existing Active Directory using SAML or OIDC. Cognito User Pools can be configured as a SAML service provider that trusts your AD FS or other SAML IdP. This allows users to sign in with their corporate credentials. For deeper integration, you can also use AWS Directory Service for Microsoft AD, but that is a separate service for managing AD in the cloud.
Cognito User Pools has a free tier: 50,000 MAUs free with Lite features. Beyond that, you pay per MAU. Essentials tier (with advanced security) is paid from the start. Identity Pools are free for the first 100,000 authenticated and 100,000 unauthenticated users per month. The exam may ask about the free tier limits, so remember 50,000 MAUs for User Pools and 100,000 for Identity Pools.
JWT stands for JSON Web Token, a compact, URL-safe token format that contains claims (e.g., user ID, email, expiration). Cognito uses JWTs because they are self-contained and can be verified without calling a database. The ID token carries user attributes, the access token is used for API authorization, and the refresh token has a longer life to get new tokens. JWTs are signed, so tampering is detectable.
No, Cognito is an AWS service and requires an AWS account. However, you can use Cognito to authenticate users for applications that are hosted outside AWS (e.g., on-premises or other cloud). The authentication flow is independent of where the app runs, but the Cognito service itself is within AWS.
Cognito supports SMS-based MFA and TOTP (time-based one-time password) via authenticator apps. You can enable MFA for all users or only for users with certain risk levels (adaptive authentication in Essentials tier). When MFA is enabled, after the user provides their password, Cognito sends a code or prompts for a TOTP, and the user must complete the challenge to receive tokens.
Cognito is for application-level authentication (customer-facing). AWS SSO (now AWS IAM Identity Center) is for workforce identity and access to multiple AWS accounts and business applications. They serve different purposes: Cognito for app users, SSO for employees accessing AWS resources. On the exam, if the scenario is about customers, choose Cognito; if about employees, choose SSO or IAM.
You've just covered Amazon Cognito — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?