© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Hunt, Sr. Product Manager, Amazon Cognito

September 21, 2016

Getting Started with Amazon

Cognito User Pools

Topics

AWS Mobile Services and Amazon Cognito

Introduction to Your User Pools

Summary of Features

Demo

Deeper Dive in a Few Areas

Getting Started

Q & A

The Best Mobile Apps Run on AWS

Authenticate users

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Amazon Cognito

(Sync)

Amazon Cognito

(Identity)Amazon S3

Amazon CloudFront

Store data

Amazon DynamoDB

Amazon RDS

Track Retention

Amazon Mobile

Analytics

Send push notifications

Amazon SNS

Mobile Push

Server-side logic

Lambda

Device Farm

Test your app

Amazon Mobile

Analytics

Build and Scale Your Apps on AWS

AWS Mobile Hub: Fastest Way to Build Apps on AWS

Comprehensive Support for Identity Use Cases

6

Manage authenticated

and guest users’

access to your AWS

resources

Federated Identities

Synchronize user’s data

across devices and

platforms via the cloud

Data Synchronization

Add sign-up and sign-

in with a fully

managed user

directory

Your User Pool

GuestYour own

auth

Amazon Cognito Identity Amazon Cognito Sync

Amazon Cognito Identity and Sync

k/v data

SAML

Sign in with

Facebook

Or

Username

Password

Sign In

Or

Start as a guest

Authenticate via

3rd party Identity

Providers

Amazon Cognito Identity and User Experience

Guest Access

Your User Pools in

Amazon Cognito

Amazon Cognito Identity

provides temporary

credentials to securely

access your resources

DynamoDB

S3

API Gateway

Your User Pools

9

Add user sign-up and sign-

in easily to your mobile and

web apps without worrying

about server infrastructure

Serverless Authentication

and User Management

Verify phone numbers and

email addresses and offer

multi-factor authentication

Enhanced Security

Features

Launch a simple, low-cost,

and fully managed service

to create and maintain a

user directory that can scale

to 100s of millions of users

Managed User Directory

1 2 3

Comprehensive User Flows

10

Email or phone number verification

Forgot password

User registration and authentication

Users verify their email address or phone number prior to activating an account

Users can change their password if they forget it

Users can sign up and sign in using an email, phone number, or username (and

password)

User profile data User can view and update profile data – including custom attributes

SMS-based MFA Users complete Multi-Factor Authentication (MFA) by inputting a security code

received via SMS as part of the sign-in flow

Customize these user flows using Lambda

Custom User Flows Using Lambda Hooks

11

Category Lambda Hook Example Scenarios

Custom

Authentication

Flow

Define Auth Challenge Determines the next challenge in a custom auth flow

Create Auth Challenge Creates a challenge in a custom auth flow

Verify Auth Challenge Response Determines if a response is correct in a custom auth flow

Authentication

Events

Pre Authentication Custom validation to accept or deny the sign-in request

Post Authentication Event logging for custom analytics

Sign-Up

Pre Sign-up Custom validation to accept or deny the sign-up request

Post Confirmation Custom welcome messages or event logging for custom analytics

Messages Custom Message Advanced customization and localization of messages

Custom Auth flow

12

Amazon Cognito Your

User Pools

Custom Authentication Challenges(e.g., CAPTCHA or custom 2nd factors)

1

2 5

6

34

Extensive Admin Capabilities

13

Define custom attributes

Set per-app permissions

Set up password policies

Create and manageuser pools

Define custom attributes for your user profiles

Set read and write permissions for each user attribute on a per-app basis

Enforce password policies like minimum length and requirements for

different character types

Create, configure, and delete user pools across AWS regions

Require submission of attribute data Select which attributes must be provided by the user to complete sign-up

Search for usersSearch for users based on a full match or a prefix match of their

attributes through the console or admin API

Manage users Conduct admin actions, such as reset user password, confirm user,

enable MFA, delete user, and global sign-out

Remembered Devices

14

Remember the devices

associated with your users

1

Reduce the friction that your

users face with MFA by

suppressing the 2nd factor

challenge from remembered

devices

Build logic to associate devices

with your users to achieve

specific business requirements

such as remote device signout

2

Amazon Cognito User Pools and Amazon API

Gateway

15

Custom Authorizer FunctionNative Support

Configure API Gateway to accept

Cognito user pool ID tokens to

authorize users

Control access to your APIs by

inspecting tokens provided by

Cognito user pools

Importing Existing Users

Import users into your Cognito user pool by

uploading .csv files

Users will create a new password when they

first sign-in

Each imported user must have an email

address or a phone number

Control Attribute Permissions

Choose which user attributes

each app can read and writeRead Write

name

phone

custom:paid

Additional User Pool Features

Customizable email addresses – Customize the "from" email address of

emails you send to users in a user pool.

Admin sign-in – Your app can sign in users from back-end servers or

Lambda functions.

Global sign-out – Allow a user to sign out from all signed-in devices or

browsers.

Custom expiration period – Set an expiration period for refresh tokens.

“Building an AWS serverless platform that manages sensitive

customer data requires an authentication strategy that protects

the information from unauthorized access. Using the Amazon

Cognito user pool feature together with AWS Lambda, we’re

developing a flexible, fully integrated solution that can scale

effortlessly – a powerful tool that will be critical in keeping our

customers’ data secure.”

Feedback from our beta customers

19

“It is critical for us to provide a secure and simple sign-up

and sign-in experience for our tens of millions of end

users. With Amazon Cognito, we can enable that without

having to worry about building and managing any backend

infrastructure.”

Demo

Understanding User Status

New users start with “Registered”

status

Users must be confirmed before

they can sign-in

Users must be disabled before

they can be deleted

Registered(cannot sign in)

Sign-up

Confirmed

Disabled

Verify email Verify phoneor

Disable

Delete

(deleted)

Lambda Trigger:

Pre Sign-up

Password

Reset Required

Reset password

User import

Verifying Email and Phone

Your User Pools provide built-in verification of email

addresses and phone numbers

A six digit code is sent as an email message or SMS

text and is submitted via the VerifyUserAttributeAPI

If both a phone number and email address are

provided at sign-up, a verification code will only be

sent to the phone

Your app can call GetUser to see if an email address

or phone number is awaiting verification, and then call

GetUserAttributeVerificationCode to initiate

the verification

Your verification

code is 938764

Using Aliases in Amazon Cognito User Pools

Sign-up and sign-in with email is very common

today

Aliases in Amazon Cognito support use of email,

phone or preferred user name in place of the

user name

A username value must be provided at sign-up,

but it could be generated by the app and not

exposed to the end user

Phone numbers and email addresses must be

unique and must be verified before they can be

used to sign-in

My App

Email

Password

Sign In

Sign Up

Cognito User and Federated Identities

Cognito User

Identities(Your User Pool)

User

Sign-in1

Returns Access

and ID Tokens2

Cognito Federated

Identities(Identity Pool)

Get AWS scoped

credentials

3

Access

to AWS Services

4

DynamoDBS3 API Gateway

Getting Started with Your User Pools

See aws.amazon.com/cognito/dev-resources/ for links to

SDKs for iOS, Android, and JavaScript

Sample apps for iOS and Android

AWS Mobile Blog article describes them

Developer Guide

API Reference Guide

Monday, October 24, 2016

JW Marriot Austin

https://aws.amazon.com/events/devday-austin

Free, one-day developer event featuring tracks,

labs, and workshops around Serverless,

Containers, IoT, and Mobile

Q&AIf you want to learn more, register for

our upcoming AWS DevDay Austin!

Appendix

Visit aws.amazon.com/cognito/ to learn more

AWS Resources

Authentication – Supported Providers:

Authorization / Permission

Cognito Functional Diagram

Social Identity Providers Developer

ProvidedEnterprise

Identity

Provider

via SAML

Authenticate users

and generate identity

tokens

Validates identity

tokens and provides

credentials to access

AWS resources

Cognito

User Pool

Cognito Federated Identities (Identity Pool)

Pricing

Pricing is based on Monthly Active Users (MAUs) with volume-based discounting

A user is counted as a MAU if there is an identity operation related to that user within a

calendar month (e.g., sign-up, sign-in, token refresh, or password change)

No charge for subsequent sessions or for inactive users

SMS charges are billed separately (using the SNS Global SMS feature)

Pricing Tier Price per 1K MAUs

First 50,000 MAUs Free

Next 50,000 MAUs $5.50

Next 900,000 MAUs $4.60

Next 9,000,000 MAUs $3.25

>10,000,000 MAUs $2.50

Amazon Cognito Sync

User Data

Storage and

Sync

Any Platform

iOS/Android/FireOS

Store app data, preferences, and stateSave app and device data to the cloud and merge

them after login

Cross-device / Cross-OS Sync Sync user data and preferences across devices

with a few lines of code

Work offlineData always stored in local SQLite DB first

Works seamlessly with intermittent or no

connectivity

k/v data

Identity pool

No back endSimple client SDK eliminates need for server

side code

© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Push Sync

Sync between devices in near real-time

using push instead of polling

Fewer syncs = cost savings

Powered by SNS

Push changes from your backend

Cognito Streams

Enables deeper analysis of data

Receive a stream of any updates to a dataset for each identity in

your identity pool

Publishes updates to Kinesis

From Kinesis write to other destinations such as Redshift or

ElasticSearch

RedShift

ElasticSearch

KinesisCognito

Cognito Events

Can be used to provide data validation (Cheating, Sanitization)

Can be used to inject data (Bonuses, Content)

Perform additional logic server side during a synchronize call

Full control over dataset contents

LambdaCognito