Secure User Authentication with Amazon Cognito User Pools
Implement authentication and/or authorization for applications and AWS services
Secure User Authentication with Amazon Cognito User Pools
This lab guides you through implementing a secure authentication layer for the TodoPlus application using Amazon Cognito. You will learn how to create a User Pool, manage application clients, and perform user sign-up and sign-in workflows.
Prerequisites
- An AWS Account with administrative permissions.
- AWS CLI installed and configured with your credentials (
aws configure). - A valid email address to receive verification codes (optional for this CLI-driven lab).
- Basic familiarity with JSON and terminal commands.
Learning Objectives
- Provision an Amazon Cognito User Pool for user management.
- Configure an App Client to allow application-level access.
- Implement a programmatic user registration and confirmation flow.
- Authenticate a user to receive Identity and Access JSON Web Tokens (JWTs).
Architecture Overview
Step-by-Step Instructions
Step 1: Create the Cognito User Pool
The User Pool is your user directory. It handles password policies, MFA, and user attributes.
aws cognito-idp create-user-pool \
--pool-name "TodoPlusUserPool" \
--policies '{"PasswordPolicy":{"MinimumLength":8,"RequireUppercase":true,"RequireLowercase":true,"RequireNumbers":true,"RequireSymbols":false}}'
▶Console alternativeNavigate to Cognito > User Pools > Create user pool. Choose "User name" for sign-in options and set password requirements under "Security configuration".
Step 2: Create an App Client
An App Client allows your application (frontend or backend) to interact with the Cognito User Pool.
aws cognito-idp create-user-pool-client \
--user-pool-id <YOUR_USER_POOL_ID> \
--client-name "TodoPlusWebClient" \
--no-generate-secret[!IMPORTANT] Note the
ClientIdfrom the output; you will need it for subsequent steps. We use--no-generate-secretbecause client-side browser applications cannot securely store secrets.
Step 3: Register a New User
Simulate a user signing up for the TodoPlus application.
aws cognito-idp sign-up \
--client-id <YOUR_CLIENT_ID> \
--username "testuser@example.com" \
--password "Password123!"Step 4: Confirm the User (Admin Override)
Normally, a user would receive an email code. For this lab, we will manually confirm the user as an administrator.
aws cognito-idp admin-confirm-sign-up \
--user-pool-id <YOUR_USER_POOL_ID> \
--username "testuser@example.com"Step 5: Authenticate and Retrieve Tokens
This step simulates the login process. If successful, Cognito returns three tokens: ID Token, Access Token, and Refresh Token.
aws cognito-idp initiate-auth \
--auth-flow USER_PASSWORD_AUTH \
--client-id <YOUR_CLIENT_ID> \
--auth-parameters USERNAME=testuser@example.com,PASSWORD=Password123!Checkpoints
| Action | Expected Result |
|---|---|
| List User Pools | Verify TodoPlusUserPool appears in the list after Step 1. |
| User Status | Run aws cognito-idp admin-get-user --user-pool-id <ID> --username testuser@example.com. Status should be CONFIRMED. |
| Authentication | The initiate-auth command should return a JSON object containing AuthenticationResult with an IdToken. |
Clean-Up / Teardown
[!WARNING] Always delete your resources to avoid potential costs and to maintain a clean environment.
# 1. Delete the User Pool (this also deletes associated clients and users)
aws cognito-idp delete-user-pool --user-pool-id <YOUR_USER_POOL_ID>Troubleshooting
| Error | Likely Cause | Fix |
|---|---|---|
NotAuthorizedException | Incorrect Password or Client ID. | Double-check the ID from Step 2 and the password used in Step 3. |
ResourceNotFoundException | The UserPoolId or Region is incorrect. | Ensure your CLI is set to the same region where the pool was created. |
UserNotConfirmedException | Sign-up was successful but not confirmed. | Ensure you executed the admin-confirm-sign-up command in Step 4. |
Stretch Challenge
Enable Multi-Factor Authentication (MFA):
Modify your User Pool to require SMS MFA. You will need to configure an IAM role for Cognito to send SMS messages via Amazon SNS. Once enabled, try to authenticate again and observe the SMS_MFA challenge in the response.
Cost Estimate
- Cognito User Pool: Included in the AWS Free Tier (up to 50,000 monthly active users for standard pools).
- Estimated Cost for this Lab: $0.00 (well within free tier limits).
Concept Review
Authentication vs. Authorization
| Concept | Description |
|---|---|
| User Pool | A user directory that provides sign-up and sign-in options for app users. |
| Identity Pool | Provides temporary AWS credentials to grant users access to other AWS services (e.g., S3, DynamoDB). |
| JWT (JSON Web Token) | A compact, URL-safe means of representing claims to be transferred between two parties. |