Are you looking for a user management tool that provides authentication and authorization mechanisms, token generation and distribution, password storage and protection, and user management APIs? Look no further than AWS Cognito.

In this blog post, we’ll take a closer look at the features of AWS Cognito and walk you through the steps to get started with this powerful user management tool. Whether you’re a developer or a business owner, AWS Cognito can help you streamline your user management and ensure the security of your data.

AWS Cognito

AWS Cognito

As we all know, user management has become much more important these days. While some companies keep their users on on-prem servers and provide user management by themselves, some large companies such as Auth0Okta, and OneLogin also provide services in this field.

When it comes to user management, we should think of not only a server where users are stored but also an identity provider for the following requirements:

  • Authentication & authorization mechanisms.
  • Token generation, distribution, and security.
  • Password storage and protection.
  • User management APIs (Register, login, forgot password, logout, etc.).
  • Additional security mechanisms (MFA, suspicious IP blocking, account locking, etc.).

Today, we will discuss one of our favorites, AWS Cognito. AWS Cognito user management has two aspects:

  • AWS Cognito User Pools
  • AWS Cognito Identity Pools

AWS Cognito User Pool provides user management (register, login, logout, forgot password, reset password, etc.) and access control to our web and mobile app users in a quick and easy way. It also supports sign-in with social identity providers, such as:

  • Google
  • Facebook
  • Apple
  • Amazon
  • SAML 2.0
  • OpenID Connect

We don’t have to worry about where users’ passwords or information are stored, Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users with the JWT (JSON Web Token) mechanism. It also complies with HIPAAPCI DSSSOCISO/IEC 27001ISO/IEC 27018, and ISO 9001, so you can use AWS Cognito with your critical infrastructure apps.

To understand Cognito deeply, let’s get our hands dirty! We need a free tier AWS account which you can access by following the steps here.

Step-by-Step: Getting Started with AWS Cognito

Search Cognito on AWS Management Console and Select Cognito

First of all, we should search Cognito on AWS Management Console and select Cognito.

AWS Management Console

We should select ‘Manage User Pools”. If there are no issues related to your AWS account settings, you can see the “Your User Pools” blank page. If there is an error, please check your AWS account registration payment settings. On this page, we should select “Create A User Pool”. We should give a name to our user pool to identify in the future. We can create our user pool with review default settings or step-through settings one by one. In this case, we choose step-through settings so we can see AWS Cognito settings in detail.

AWS Cognito Create a user pool

Attributes Tab

On the “Attributes” tab, we should select “How do we want our users to sign in? Username, E-mail, or Phone Number?” This selection is critical because you cannot change this setting after the creation of the Cognito User Pool. Select the Email address or phone number and the “Allow email address” option.

Sign in options

What are the attributes that we want from the users in the sign-up process? We can select register (sign-up) attributes on the same page. There are two options: Required or Custom Attributes. If you select Required Attributes, users must provide all of them. On the other hand, if you select custom attributes, users can send them with null values (blank on the register page). You can use the custom attributes for your custom user management, database, or multi-tenancy solutions.

We recommend using custom attributes instead of required attributes if they are not critical for development or production purposes. In this case, we choose email for the required attributes.

Attributes Tab

Password Policy

In the next step, we can set up our password policy, and users can sign-up by themselves or not. This option can be useful for critical and internal apps where the users can only be registered by the admin. Also, we can edit the temporary password expiration time. In this case, we did not make any changes and kept the default values. We recommend you construct a strong password policy in the production environment.

Password Policy

MFA and Verifications

After this page, we will see the “MFA and verifications” page. MFA options will be discussed in a different blog post.

MFA Options

Message Customization

On the “Message Customization” page, we can modify our user verification and temporary code mail details. AWS Cognito uses AWS SES for email-sending operations. You can select your verification type and email message details here. In our case, we selected the verification link and changed the Email message content a little bit.

Message customization


We can add additional tags for management purposes on the “Tags” page.

AWS Cognito Tags


On the “Devices” page, you will see the “Remember User Devices?” option. This option allows us to collect the details of the devices that users sign in to. This option can be useful for security purposes. In this case, we choose the “Always” option here.

User Devices

App Clients

After this page, we should see a critical option “App Clients”. You can create multiple apps for a user pool. Generally, an app corresponds to the platform of an app. For example, you might create an app for Android and Web. Each app has its own app client ID. In addition to this, we can set our tokens (id, access, and refresh) expiration time for every app client here. We only disabled the “Generate client secret” option here. The client secret option can be useful for cloud-cloud integrations, but we don’t need a client secret value here.

App Clients

Set Attribute Read and Write Permissions

At the bottom of the same page, you should see the “Set attribute read and write permissions” option. If you add a custom attribute value, you should select read and write permissions here. Otherwise, you can not get any error, but you cannot see your user custom attribute values on the Cognito User Page.

This can be confusing, so you should be careful about this option.

Cognito Triggers

Attribute permissions

After this, we reach one of the favorite Cognito features step: Cognito Triggers. These options can be very useful when we want to operate in user register, sign-and getting user token processes. To use triggers, we should use AWS Lambda functions.

Also see: How To Send Transactional Emails Using Lambda and Amazon SES?


After all of these, we can create our user pool successfully. You can see your user pool ID on the main page of your user pool.

user pool

Setting Up User Sign-In and Domain Name

Now, we can register a user and sign in. AWS Cognito provides us with the Hosted UI page for testing purposes. We can select “App Integration → Domain Name” from the left bar on User Pool Page that we have created. We need an AWS Cognito Domain for sign-in, sign-up, and forgot password operations. We selected “test-medium” as the domain name checked availability, and saved changes. You can also get your domain with AWS ACM.

Add Domain

Finally, you should set a callback sign-in and sign-out URL for your app client. We chose http://localhost:8000 for test purposes. After saving these configurations, you will see the “Launch hosted UI” button below.

Launch hosted UI button

After we launch hosted UI, we can sign-up our users. You should think of the Hosted UI as your app register or login page. We selected the sign-up option here because we have not registered a user.

Hosted UI

During the sign-up process, we registered with a test e-mail address and password.

AWS Cognito Sign up

To verify the email address, AWS Cognito sends a verification link to the email address. (Keep in mind that we have configured this option above.)

This article may interest you: Introduction to AWS Serverless Application Model

Verify email

After clicking the verification email, AWS Cognito verifies the email address. The user can sign in successfully and get the tokens. You can see tokens on your browser’s bar. Also, on the “Users and Groups” option in your user pool configuration page, you can see your entire user list and user data.

User details

To sum up

AWS Cognito is a powerful tool for user management, providing authentication and authorization mechanisms, token generation, distribution, and security, password storage, and protection, and user management APIs, among other features. With its support for sign-in with social identity providers like Google, Facebook, and Apple, AWS Cognito makes it easy to manage users and their data.

At PurpleBox, we believe that AWS Cognito is an essential tool for any organization looking to streamline user management and ensure the security of their data.

Be sure to check out our services for useful tools and resources. If you’re interested in learning more, visit the PurpleBox Blog for additional information.