Cognito User Pools (CUP) - Authentication

• Serverless OIDC-compliant identity provider (provides sign in functionality for app users)

• Returns JWT (used to verify the identity of the user)

• MFA support

• Supports Federated Identities allowing users to authenticate via third party identity provider like Facebook, Google, SAML, etc.

• Seamless integration with API Gateway & ALB for authentication

  

Cognito Hosted UI

• AWS created login and signup page (can be customized using images and CSS)
• To host the hosted UI on a custom domain, we must create an ACM certificate in us-east-1

Lambda Triggers

CUP can invoke lambda functions synchronously on certain events

Adaptive Authentication

• If enabled, sign-in attempts may be blocked or require MFA if they seem suspicious
• Cognito examines each sign-in attempt and generates a risk score
• In case of compromised credentials, there is email and phone verification
• Logged in CloudWatch