The world is moving towards more connected devices per person, with an average of 3.47 devices owned per person today and a prediction of 6.58 per person by 2020. AWS Cognito ensures that users of your app have a consistent and secure experience no matter what device or OS they’re logging in from. We look through how AWS Cognito is a savior for app performance and what each part of it is about.
What is Amazon Cognito & How Can it Benefit Mobile Apps & IoT Devices?
AWS Cognito is the service that allows businesses to easily incorporate user sign-up and authentication via mobile and web apps. AWS Cognito has the ability to scale to millions of users securely using its directory called User Pools.
The service provides users an extra layer of control over access and security for their end users through role assignment and mapping of specific roles; no end users will have access to back-end resources that they aren’t meant to.
For additional security, AWS Cognito supports data encryption at rest and in transit. This, along with other security features, means it’s HIPAA, PCI-DSS and ISO 27001 compliant. One less thing to worry about!
For a happier and more consistent end-user experience, AWS Cognito is enabled for sign-up via social identity providers such as Facebook and Google as well as enterprise identity providers, like Microsoft Active Directory. It also features flexible UI integration to work with your own branding and marketing initiatives. These elements of flexibility are a major draw to its appeal, freeing developers to continue creating and building new projects without the worry of excluding any particular user groups.
How does AWS Cognito Work?
The User Pool
The User Pool is essentially the directory of users for your application, and the component which initiates sign-up/sign-in. The User Pool provides user profiles and tokens, which gives end users access to resources within your application.
Cleverly, the User Pool can be integrated with other AWS services such as AWS Lambda to help with fraud detection and customer verification. As it’s becoming the standard, the User Pool supports multi-factor authentication and the use of email or phone number verification for additional security.
The Identity Pool & Federate Identities
Through the use of external identity providers, Cognito Identity organizes and manages user identities in containers. The service supports identity providers (IdP) such as Google, Facebook, and Twitter, and any other OpenID connect provider.
Within this Identity Pool, specific user identifiers are created from the Federated identities from social IdPs, however, user profiles are not created at this stage.
Once an end user has been authenticated by an IdP, a token is returned and passed through your app to AWS Cognito, which provides a Cognito identity, temporary credentials and access for that single session. The access and permissions given are based on the IAM roles you’ve assigned to an individual or group types, and even users not yet authenticated can have their own limited access using a separate IAM role. The various IAM roles you input are key to ensuring that only the specified back-end resources are accessed by certain users.
It’s important to mention here that user identities themselves are not stored, but instead using the token given upon sign-in, a unique identifier is given with a one-way hash that will be recognized the next time they sign-in.
The use of temporary credentials means that if a malicious user gained access to your resources, it would be for a limited time only, therefore, reducing any potential damage caused.
The Data Sync
AWS Cognito offers a service, as part of the Identity Pool, to sync user data from different devices, operating systems and platforms effortlessly using a key/value pair. It works by a triggered sync of data sets and a cached library, which compares the stored version with the latest version and syncing to store the most up to date version only.
The trigger can be done programmatically or through push notification (AWS SNS) sent to all devices associated with an identity to notify them when new data is available. The data will only update when a device is online.
For any data conflicts, however, users can override the default storage method by recalling the Amazon SDK that contains both versions. From here, users can choose which version is kept and stored in AWS Cognito and which is deleted.
The data sets have a maximum storage of 1MB each, with each individual user having a maximum of 20 data sets. This has been purposely created by AWS to ensure data synchronization is successful each time regardless of bandwidth, and without killing battery life and data plans.
As with most other AWS services, with AWS Cognito, you only pay for what you use without any commitment when it comes to identity management and data synchronization.
User Pool Pricing
For the User Pool, you pay based on your Monthly Active Users (MUAs) which are counted as essentially any user that’s had activity linked to them, i.e. sign-up, sign-in, password change. A user signing in twice will not be charged twice with this system.
AWS gives you the first 50,000 MUAs free on their free-tier, however, after this, the cost increases according to which bracket of MUA you’re sitting in. This free-tier is no longer limited to just the first 12 months and instead is an ongoing feature working well for any small businesses.
There are, however, different rates for users signing in through the User Pool and those signing in through SAML.
For those using User Pool credentials or social IdPs:
For those using SAML or OIDC federation, the cost after the first 50,000 MUAs is a flat $0.015.
AWS has also recently introduced an advanced security package for Cognito, which includes adaptive authentication for any unusual activity. This feature provides a risk score to the activity and gives the option for further verification from the end user or to block the request altogether. The package also includes a prompt for users whose credentials have been compromised to change their passwords.
This Advanced Security Package for Cognito is priced in addition to the base set above, and is also set out on a scale:
It’s also worth noting here that the Multi-Factor Authentication that AWS Cognito supports uses AWS Simple Notification System (SNS), which adds in another separate cost.
Cognito Sync Pricing
The costs for syncs are based on the amount of data saved in the Sync store and the number of sync operations performed. As mentioned before, the sync operation is the comparison of the local data to the data in the Sync store as well as the synchronization of the two.
Once again, the free tier gives users 10GB cloud sync store and 1m sync operations for FREE, but only for the first 12 months. After this time, the costs per month are as follows:
- $0.15 per 10,000 sync operations
- $0.15 per 1GB data stored
Interestingly, these figures go up for the Asia Pacific (Tokyo) region to $0.19 for both of the above categories.
AWS Cognito is a great tool and with some very competitive rates and security features, it adds much more ease and compliance to your serverless architecture.
Cloud Conformity provides continuous assurance to your AWS infrastructure through the use of over 500 checks, all of which are based on the Well-Architected Framework. Using multiple third-party communication channels to alert you of failures and the corresponding remediation steps, your resources will remain compliant, secure and optimized. Check out your current security posture with our 14-day free trial, which includes a 30min onboarding session to ensure correct setup and any questions answered.