Stacktape
Stacktape


User Authentication (Cognito)



User pools provide a secure identity store for your users, handling sign-up, sign-in, and access control for your applications. They support standard identity protocols like OAuth 2.0, SAML 2.0, and OpenID Connect, and can be integrated with HTTP API Gateways to protect your endpoints.

When to use them

User pools are a good choice whenever your application needs to authenticate and authorize users.


Advantages

  • Pay-per-MAU: You pay for monthly active users.
  • Free tier: The first 50,000 monthly active users are free (for users who sign in directly, not through SAML or OIDC federation).
  • Serverless: Scales seamlessly to handle a large number of users.
  • Secure by default: User data is stored securely by AWS.
  • Compliant: User pools are HIPAA eligible and compliant with PCI DSS, SOC, ISO/IEC 27001, and other standards.

Disadvantages

  • Cost at scale: Can become expensive for large user bases or heavy use of SAML or OIDC federation.
  • Complexity: Authentication flows and standards like OAuth can be complex to understand and implement correctly.

Basic usage

This example shows a Lambda function connected to an HTTP API Gateway with an authorizer that only allows access to users authenticated by myUserPool.

resources:
createPost:
type: function
properties:
packaging:
type: stacktape-lambda-buildpack
properties:
entryfilePath: src/index.ts
events:
- type: http-api-gateway
properties:
httpApiGatewayName: myGateway
path: /post/create
method: POST
authorizer:
type: cognito
properties:
userPoolName: myUserPool
myUserPool:
type: user-auth-pool
properties:
userVerificationType: email-code
passwordPolicy:
minimumLength: 8

Password policy

You can enforce a password policy for your users, specifying minimum length and requiring lowercase letters, numbers, symbols, and uppercase letters.

PasswordPolicy  API reference
minimumLength
requireLowercase
requireNumbers
requireSymbols
requireUppercase
temporaryPasswordValidityDays

Multi-factor authentication

You can enable multi-factor authentication (MFA) for your user pool to add an extra layer of security.

MfaConfiguration  API reference
status
enabledTypes

Hooks

You can use Lambda functions as hooks to trigger custom logic at different points in the user authentication lifecycle, such as before sign-up or after a successful sign-in.

UserPoolHooks  API reference
customMessage
postAuthentication
postConfirmation
preAuthentication
preSignUp
preTokenGeneration
userMigration
createAuthChallenge
defineAuthChallenge
verifyAuthChallengeResponse

External identity providers

You can allow users to sign in with external identity providers like Google, Facebook, or any SAML or OIDC-compliant provider.

IdentityProvider  API reference
type
Required
clientId
Required
clientSecret
Required
attributeMapping
authorizeScopes
providerDetails

Firewall

You can protect your user pool with a web application firewall.

  • You can use web-app-firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
  • Web app firewall protects your application by filtering dangerous requests coming to your app. You can read more about the firewall in our docs.

To learn more, see the Web Application Firewall documentation.

resources:
myFirewall:
type: web-app-firewall
properties:
scope: regional
myUserPool:
type: user-auth-pool
properties:
userVerificationType: email-code
passwordPolicy:
minimumLength: 8
useFirewall: myFirewall

Pricing

Amazon Cognito has a free tier for user pools, which includes 10,000 monthly active users (MAUs) for users who sign in directly or through a social identity provider. For users who sign in through SAML or OIDC federation, the free tier includes 50 MAUs.

Beyond the free tier, pricing is based on the number of MAUs. For the "Lite" tier, the costs are as follows:

  • 10,001 - 100,000 MAUs: $0.0055 per MAU
  • 100,001 - 1,000,000 MAUs: $0.0046 per MAU
  • Over 1,000,000 MAUs: $0.00325 per MAU

For users federated through SAML or OIDC, the price is $0.015 per MAU above the free tier.

Additional charges apply for sending SMS messages for MFA and for using advanced security features. For detailed and up-to-date pricing information, see the Amazon Cognito pricing page.

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

id
  • Id of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'id')
clientId
  • Id of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'clientId')
domain
  • Domain of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'domain')

API reference

UserAuthPool  API reference
type
Required
properties.allowOnlyAdminsToCreateAccount
properties.unusedAccountValidityDays
properties.requireEmailVerification
properties.requirePhoneNumberVerification
properties.enableHostedUi
properties.hostedUiDomainPrefix
properties.hostedUiCSS
properties.hooks
properties.emailConfiguration
properties.inviteMessageConfig
properties.userVerificationType
properties.userVerificationMessageConfig
properties.mfaConfiguration
properties.passwordPolicy
properties.schema
properties.allowPhoneNumberAsUserName
Default: true
properties.allowEmailAsUserName
Default: true
properties.accessTokenValiditySeconds
properties.idTokenValiditySeconds
properties.refreshTokenValidityDays
properties.allowedOAuthFlows
properties.allowedOAuthScopes
properties.callbackURLs
properties.logoutURLs
properties.identityProviders
properties.useFirewall
properties.generateClientSecret
properties.allowOnlyExternalIdentityProviders
overrides
UserPoolHooks  API reference
customMessage
postAuthentication
postConfirmation
preAuthentication
preSignUp
preTokenGeneration
userMigration
createAuthChallenge
defineAuthChallenge
verifyAuthChallengeResponse
EmailConfiguration  API reference
sesAddressArn
from
replyToEmailAddress
InviteMessageConfig  API reference
emailMessage
emailSubject
smsMessage
UserVerificationMessageConfig  API reference
emailMessageUsingCode
emailMessageUsingLink
emailSubjectUsingCode
emailSubjectUsingLink
smsMessage
MfaConfiguration  API reference
status
enabledTypes
PasswordPolicy  API reference
minimumLength
requireLowercase
requireNumbers
requireSymbols
requireUppercase
temporaryPasswordValidityDays
AttributeSchema  API reference
name
attributeDataType
developerOnlyAttribute
mutable
required
numberMaxValue
numberMinValue
stringMaxLength
stringMinLength
IdentityProvider  API reference
type
Required
clientId
Required
clientSecret
Required
attributeMapping
authorizeScopes
providerDetails

Contents