Amazon Cognito
Cognito is the user authentication layer for application end users. It handles sign-up, sign-in, and token issuance so the app can identify users, and it can also connect social login or temporary AWS credentials when needed.
▶Architecture Diagram
🔄 ProcessDashed line animations indicate the flow direction of data or requests
The moment you start building signup, login, token refresh, and password reset yourself, account security flows begin to compete with product features for time. Once social sign-in and multiple client apps join in, authentication becomes a project of its own.
In the past, each app implemented its own login and token system, but this approach was prone to repeated security vulnerabilities and feature gaps. This is why managed authentication services like Cognito became important.
Cognito uses User Pools to manage user directories and token issuance, and optionally Identity Pools to map to AWS credentials. It can integrate social providers like Apple and Facebook, connect SAML or custom identity providers, and extend signup or authentication flows through Lambda triggers.
Cognito and IAM both look like authentication, but the target is different. Cognito handles app-user login and tokens, while IAM handles people and service permissions inside an AWS account. If the problem is user signup, login, and token issuance for an app, look at Cognito; if the problem is internal AWS permissions and roles, look at IAM.
Well-suited for mobile apps, web services, B2C login, user token issuance, and social login federation. Not a good fit for controlling internal permissions between AWS resources.