User Pools
- User Pool = user directory for sign-up and sign-in. Issues JWT tokens (ID, access, refresh).
- Supports username/password, email, phone, social identity providers (Google, Facebook, Apple), SAML, OIDC.
- MFA: SMS or TOTP. Can be required, optional, or off.
- Hosted UI provides a pre-built sign-in/sign-up page with OAuth 2.0 / OIDC support.
- Custom attributes: up to 50 per User Pool. Cannot be removed after creation.
Identity Pools
- Identity Pool = federated identities. Exchanges tokens for temporary AWS credentials via STS.
- Supports Cognito User Pool tokens, social providers, SAML, OpenID Connect, and custom developers.
- Authenticated and unauthenticated (guest) roles can be configured.
- Attribute-based access control (ABAC): map claims to session tags for fine-grained IAM policies.
Lambda Triggers
- Pre sign-up: validate, auto-confirm, or auto-verify users before registration.
- Pre authentication: add custom validation before sign-in.
- Post confirmation: send welcome emails, log events after sign-up confirmation.
- Pre token generation: add, suppress, or modify claims in the JWT before it is issued.
- Custom message: customize verification/MFA messages and email subjects.
- Migrate user: import users from a legacy system on first sign-in.
Practice Cognito Questions
Put your knowledge to the test with practice questions.