User Authentication (Cognito)
User pools provide a secure identity store for your users, handling sign-up, sign-in, and access control for your applications. They support standard identity protocols like OAuth 2.0, SAML 2.0, and OpenID Connect, and can be integrated with HTTP API Gateways to protect your endpoints.
When to use them
User pools are a good choice whenever your application needs to authenticate and authorize users.
Advantages
- Pay-per-MAU: You pay for monthly active users.
- Free tier: The first 50,000 monthly active users are free (for users who sign in directly, not through SAML or OIDC federation).
- Serverless: Scales seamlessly to handle a large number of users.
- Secure by default: User data is stored securely by AWS.
- Compliant: User pools are HIPAA eligible and compliant with PCI DSS, SOC, ISO/IEC 27001, and other standards.
Disadvantages
- Cost at scale: Can become expensive for large user bases or heavy use of SAML or OIDC federation.
- Complexity: Authentication flows and standards like OAuth can be complex to understand and implement correctly.
Basic usage
This example shows a Lambda function connected to an HTTP API Gateway with an authorizer that only allows access to users authenticated by myUserPool
.
resources:createPost:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: src/index.tsevents:- type: http-api-gatewayproperties:httpApiGatewayName: myGatewaypath: /post/createmethod: POSTauthorizer:type: cognitoproperties:userPoolName: myUserPoolmyUserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8
Password policy
You can enforce a password policy for your users, specifying minimum length and requiring lowercase letters, numbers, symbols, and uppercase letters.
Multi-factor authentication
You can enable multi-factor authentication (MFA) for your user pool to add an extra layer of security.
Hooks
You can use Lambda functions as hooks to trigger custom logic at different points in the user authentication lifecycle, such as before sign-up or after a successful sign-in.
External identity providers
You can allow users to sign in with external identity providers like Google, Facebook, or any SAML or OIDC-compliant provider.
Firewall
You can protect your user pool with a web application firewall.
- You can use
web-app-firewall
to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources. - Web app firewall protects your application by filtering dangerous requests coming to your app. You can read more about the firewall in our docs.
To learn more, see the Web Application Firewall documentation.
resources:myFirewall:type: web-app-firewallproperties:scope: regionalmyUserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8useFirewall: myFirewall
Pricing
Amazon Cognito has a free tier for user pools, which includes 10,000 monthly active users (MAUs) for users who sign in directly or through a social identity provider. For users who sign in through SAML or OIDC federation, the free tier includes 50 MAUs.
Beyond the free tier, pricing is based on the number of MAUs. For the "Lite" tier, the costs are as follows:
- 10,001 - 100,000 MAUs: $0.0055 per MAU
- 100,001 - 1,000,000 MAUs: $0.0046 per MAU
- Over 1,000,000 MAUs: $0.00325 per MAU
For users federated through SAML or OIDC, the price is $0.015 per MAU above the free tier.
Additional charges apply for sending SMS messages for MFA and for using advanced security features. For detailed and up-to-date pricing information, see the Amazon Cognito pricing page.
Referenceable parameters
The following parameters can be easily referenced using $ResourceParam directive directive.
To learn more about referencing parameters, refer to referencing parameters.
Id of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'id')
Id of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'clientId')
Domain of the userpool
- Usage:
$ResourceParam('<<resource-name>>', 'domain')