AWS Cognito: What You Should Know
A field guide to AWS Cognito: what the managed auth service does, user pools vs. identity pools, common pitfalls, and when a team should use it.
Track: Cloud Engineering, with a security crossover. Era: the “stop rolling your own auth” sessions that recur in every security track. Modern lesson: managed auth removes the password-storage risk but hands you a configuration surface you still have to get right.
Amazon Cognito is AWS’s managed service for adding user sign-up, sign-in, and access control to web and mobile apps. It handles user directories, federated login (Google, Apple, SAML, OIDC), token issuance, and multi-factor authentication, so a team doesn’t store passwords or build a session system from scratch. It’s two services in a trench coat, user pools and identity pools, and confusing them is the most common Cognito mistake.
The recovered track
“Don’t build your own authentication” has been a standing line in security tracks for two decades. The reasoning never changes: auth is high-stakes, full of subtle failure modes, and unforgiving when wrong. The old talks warned against home-grown password hashing and session handling. Cognito is one answer to that warning, AWS taking on the parts most teams get subtly wrong.
But “use a managed service” was never the same as “stop thinking.” The archive’s real lesson was about respecting how hard auth is. Cognito respects it for you up to a point, then hands the rest back.
What is AWS Cognito, really?
Cognito splits into two distinct services that solve different problems. As of 2026, confirm current naming and limits against the official Cognito documentation, since AWS has been actively reshaping this service.
- User pools, a user directory and authentication service. It manages sign-up, sign-in, password policies, MFA, and federation, and it issues standard JSON Web Tokens (JWTs) your app validates. This is what most people mean when they say “Cognito.”
- Identity pools (federated identities), a service that exchanges an identity (from a user pool or a third-party provider) for temporary AWS credentials, so an app can call AWS services like S3 directly with scoped permissions.
You can use a user pool alone (just authenticate users), an identity pool alone (grant AWS access to externally-authenticated users), or both together. Most app auth needs only the user pool.
When should a team use Cognito?
It’s a strong fit when:
- You’re already on AWS and want IAM-native integration with API Gateway, Lambda, and AppSync.
- You need standards-based tokens (OIDC/OAuth 2.0) and federation without operating an identity provider.
- You want managed MFA and password policies without building them.
It’s a weaker fit when your auth needs are simple and cloud-agnostic, a dedicated auth vendor or a well-maintained library may have a gentler developer experience. And it’s a poor fit if your team won’t invest in understanding the token model; Cognito’s defaults are not always the secure or cheap ones. This is the same honest tradeoff we apply to every AWS service in our AWS services overview: managed convenience comes with a configuration surface you own.
What are the common pitfalls?
The recurring Cognito field notes, the ones that show up in postmortems:
- Confusing the two pool types. Reaching for an identity pool when you only needed a user pool (or vice versa) leads to over-complicated architectures. Decide what you actually need first.
- Mishandling tokens. Cognito issues ID, access, and refresh tokens. Treating the ID token as an API authorizer, or storing tokens insecurely on the client, are classic mistakes. Validate tokens server-side and follow OWASP’s authentication guidance for storage and session handling.
- Weak MFA and password defaults. The service supports strong settings, but you have to enable them. Don’t ship the defaults unreviewed.
- Hard migration later. User pools are not trivially exportable in all cases. Plan for the possibility of migration before you have a million users locked in.
How does Cognito fit the security track lessons?
| Old worry | What Cognito handles | What you still own |
|---|---|---|
| Insecure password storage | Hashing, storage, rotation policies | Choosing to enable strong policies |
| Building session management | Token issuance and refresh | Validating and storing tokens correctly |
| Adding MFA from scratch | Built-in MFA options | Turning it on and enforcing it |
| Federating third-party login | OIDC/SAML federation | Mapping claims and scoping access |
The pattern is consistent: Cognito removes the lowest-level risks and replaces them with configuration responsibility. That’s a good trade for most teams, but only if someone reads the docs and reviews the settings. Auth that’s “handled by Cognito” but never reviewed is auth nobody owns.
How do the three tokens actually work?
Token confusion causes more Cognito bugs than any other single thing, so it’s worth a clear field note. A Cognito user pool issues three tokens on sign-in, and they have different jobs:
- ID token, a JWT that asserts who the user is (their identity claims: email, name, groups). It’s meant for your application to learn about the user. It is not an API authorization credential, even though it’s tempting to treat it as one.
- Access token, a JWT that asserts what the user can do (scopes). This is the token your APIs should validate to make authorization decisions.
- Refresh token, a long-lived credential used to obtain new ID and access tokens without forcing the user to log in again. It’s the most sensitive of the three and must be stored most carefully.
The classic mistake is authorizing API calls with the ID token because it “has the user’s info.” Use the access token for authorization and the ID token for identity, and validate signatures server-side against the user pool’s public keys. As of 2026, confirm the current token structure in AWS’s docs, since the details evolve.
What does a sound Cognito setup look like?
A field checklist for a team standing up Cognito for the first time, drawn from the recurring postmortem themes:
- Decide pool type before you build. User pool for app login, identity pool only if you need direct AWS-credential access. Write down which and why.
- Enable strong password policy and MFA from day one. Retrofitting MFA onto an existing user base is painful; turning it on at the start is free.
- Validate tokens server-side, every request. Never trust a client-supplied token without verifying its signature and expiry against the pool’s keys.
- Store tokens with the client platform’s secure mechanism, not in plain local storage, and follow vendor-neutral session guidance.
- Plan the exit. Document how you’d migrate users off Cognito before you’re locked in at scale.
- Tag and budget the resource. Cognito has a free tier and per-active-user pricing beyond it; an unmonitored user pool is a future cost surprise, the same attribution discipline every AWS service deserves.
A team that runs this checklist gets standards-based auth without the lowest-level risks. A team that skips it gets the convenience and inherits a quieter class of bug.
The durable lesson
The security track’s warning against home-grown auth still holds, and managed services like Cognito are the mature response to it. But the warning was always about respect for the problem, not abdication of it. Cognito takes the cryptographic and storage risks off your plate and hands you a token model and a configuration surface in return. A team that learns that surface gets safe, standards-based auth cheaply. A team that treats it as a black box gets a different class of bug, quieter, and harder to find.
The service name will change. The advice to take authentication seriously is still alive.
Related reading
- AWS Services: What You Should Know
- AWS Solutions Architect: What You Should Know
- AWS Lambda: What You Should Know
Sources
- “What Is Amazon Cognito?”, AWS Documentation, Official user pool / identity pool definitions and limits.
- “Authentication Cheat Sheet”, OWASP, Vendor-neutral guidance on token handling and session security.