What is AWS Cognito?

Amazon Cognito provides user authentication, authorization, and user management for web and mobile apps. Two main components: User Pools: fully managed user directory. Features: sign-up/sign-in (email, phone, username); social sign-in (Google, Facebook, Apple, SAML, OIDC providers); multi-factor authentication (SMS, TOTP); password policies and account recovery; email/SMS verification; JWT tokens (ID, access, refresh tokens); Lambda triggers (pre-sign-up, post-authentication, custom message, pre-token generation — customize behavior); hosted UI (customizable sign-in page); user groups and attributes. Identity Pools (Federated Identities): grant temporary AWS credentials to users to access AWS services directly. Users authenticated via: Cognito User Pool, social (Google, Facebook), SAML, guest (anonymous). Maps to IAM role → grants permissions for S3 read, DynamoDB access, etc. Use case: mobile app that directly accesses S3 — user authenticates with Cognito, gets temporary AWS credentials, uploads to S3 directly without a backend server. Combined flow: User Pool authenticates user → returns JWT → Identity Pool exchanges JWT for AWS credentials → user accesses AWS services. Integration with API Gateway: use Cognito User Pool as an authorizer — API Gateway validates JWT tokens automatically. Security: Cognito Advanced Security Features — compromised credential check, adaptive authentication (MFA on suspicious logins). Pricing: Free tier 50K MAU (Monthly Active Users). Paid: $0.0055/MAU after 50K.