Authentication (Cognito)
Overview
Userpools securely store your users and provide sign-up, sign-in, and access control for your applications.
Userpools support OAuth 2.0, SAML 2.0, and OpenID Connect standards.
Userpools can be integrated with HTTP API Gateways using authorizers to provide access only for authenticated users.
When to use
Userpools can be used almost anytime your application needs to authenticate and authorize users.
Advantages
- Pay-per-MAU - You pay for Monthly Active Users.
- Free-tier - There's a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools (not using SAML or OIDC federation).
- Serverless - You can seamlessly scale your userbase almost indefinitely.
- Secure by default - Your users are securely stored by AWS.
- Compliant - With userpools, you are HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant by default.
Disadvantages
- Not cheap for large user bases - When you have more than 50,000 MAUs or many users with SAML or OIDC federation, can get expensive.
- Not easy to understand - Similarly to almost everything related to authentication or OAUTH, understanding user pool authentication flows can be complicated.
Basic usage
- Example: Lambda function connected to HTTP API Gateway with authorizer that allows only users authenticated using
myUserPool
to access the configured path.
Copy
resources:createPost:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: src/index.tsevents:- type: http-api-gatewayproperties:httpApiGatewayName: myGatewaypath: /post/createmethod: POSTauthorizer:type: cognitoproperties:userPoolName: myUserPoolmyUserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8
Using firewall
You can use web-app-firewall
to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
To lean more, check web-app-firewall documentation.
Copy
resources:myFirewall:type: web-app-firewallproperties:scope: regionalmyUserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8useFirewall: myFirewall
Pricing
Work in progress
Referenceable parameters
The following parameters can be easily referenced using $ResourceParam directive directive.
To learn more about referencing parameters, refer to referencing parameters.
Id of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'id')
Id of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'clientId')
Domain of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'domain')