Amazon Cognito
Difficulty: medium
Overview
Amazon Cognito provides authentication and authorization for web/mobile applications.
User Pools: User directory. Handles sign-up, sign-in, MFA. Output: JWTs (ID, Access, Refresh tokens). Integrates with API Gateway and ALB. Lambda triggers for custom auth flows.
Identity Pools (Federated Identities): Exchange tokens (User Pool, Google, SAML) for temporary AWS credentials via STS. Enables direct AWS service access from mobile apps. Supports unauthenticated (guest) access.
User Pool vs Identity Pool:
| User Pool | Identity Pool | |
|---|---|---|
| Purpose | Authentication | AWS authorization |
| Output | JWTs | AWS credentials |
Combined Flow:
- Sign in to User Pool → JWT.
- Exchange JWT with Identity Pool → AWS credentials.
- Access S3/DynamoDB directly.
JWT Token Types:
- ID Token: User identity claims. Use for authentication.
- Access Token: OAuth 2.0 scopes. Use to authorize API calls.
- Refresh Token: Exchange for new tokens. Default 30-day expiry.
Cognito Lambda Triggers: Pre-sign-up, Post-confirmation, Pre-token generation, Custom auth flow (Define/Create/Verify challenge).
Practice Linked Questions
Q1. A developer builds a mobile app with user sign-up, sign-in, and MFA. The app needs to authenticate with an AWS API Gateway. Which Amazon Cognito component handles the user directory and authentication?
Select one answer before revealing.
Q2. After signing in via Cognito User Pool, a user wants to call DynamoDB directly from a mobile app without a backend API. Which sequence of steps is correct?
Select one answer before revealing.
Q3. A developer needs to add custom validation logic during Cognito User Pool sign-up — specifically to reject sign-ups from email domains outside the company. Which Cognito feature enables this?
Select one answer before revealing.
Q4. A Cognito User Pool is configured with hosted UI. A user signs in and then calls the token endpoint to exchange the authorization code for tokens. The developer needs to inspect the token to get the user's email and group memberships. Which token contains this information?
Select one answer before revealing.
Q5. A developer is testing a Cognito User Pool integration. The refresh token keeps expiring after 30 days. The developer wants to extend the refresh token expiry. Where is this configured?
Select one answer before revealing.