Amazon Cognito
Blake’s Take
Blake’s takes are the TLDR; by Blake for those who are too busy to dive into the detailsCognito is a serverless way to guard your API, only allowing authenticated users access to your information. This is impressive when you take into account the 50,000 monthlty active users free tier and the out of the box scalability, it just requires you to take on some deep knowledge about the tool so you can customise it to work how you expect. It is priced for user interaction so is not the tool to build machine to machine authentication however unless you have deep pockets…
We’ve written this article to let you safely take advantage of an underused gem.
Photo by Patrick Robert Doyle on Unsplash
Intro
Cognito is one of those services where you either use it everywhere because it is so cheap or hide from it because so many people have told you how hard it is to use.
I had been in the latter camp but wanted to dig deep to use the technology for the login of Teach Me so that in turn we could both provide a working website with our contents protected from bot scrapers as well as write great documentation for you all.
This means I get to have some fun by writing an article about securing content with Cognito whilst also locking some of that content behind a login. Don’t worry, you should only ever have to log into Teach Me once per device every 10 years and we promise we aren’t doing anything malicious with that login except protecting our content
Before going any further let’s cover some foundations
What Is Cognito?
Amazon Cognito is a service you can use to provide authentication for users to call your web services on aws. The pricing is setup that you get 50,000 Monthly Active Users for free when authenticated directly or using social sign in. It is primarily marketed at autheticating users in UIs to access data behind your APIs. If you want to build an API that serves other APIs (aka machine to machine) then there is no free tier and it is significantly more expensive. For full details on the pricing, check out this page
Cognito uses OAuth tokens as it’s primary means of authentication, Microsoft wrote a great article explaining OAuth if this is your first time hearing the term
So Cognito is Serverless Security?
Yes! Since it is pay per use, scales to 0 and you manage no instances, it is officially a serverless offering on AWS.
What can you integrate Cognito with?
It can be used out of the box with services like Amazon API Gateway or Appsync. AWS Amplify also has client side libraries to do most of the integration and UI heavy lifting for you.
This sounds great, Why do people avoid it?
Honestly, Cognito is a very powerful service but a lot of the out of the box configurations are not quite up to modern security expectations so you do end up customising quite a lot to make it work the way you expect. Martyn Kilbryde has a great article showing how some small config changes can make a big difference to your security stance. This is a fair trade off given how cheap the service can be but you need to go in expecting to deeply learn the tool.
The huge gotcha with Cognito even when you have it configured how you need, is that you cannot change user pools after creation. If you need to make a change to the details collected at registration or one of the core configurations you need to deploy a new user pool. This is further complicated as Cognito provides no easy one click user migrate feature that allows users to keep their password so you need to employ strategies like a migrate user lambda trigger to move people as they login. Yan Cui has a great article for more details