Amazon Cognito now allows you to configure terms of use and privacy policy documents for https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html pages. This helps customers seamlessly present legal terms during user registration while simplifying implementation. With Managed Login, Cognito customers could previously use its no-code editor to customize the user journey from signup and login to password recovery and multi-factor authentication. Now, customers can additionally use Managed Login to easily set up terms of use and privacy policy documents, saving development teams from building custom solutions. With this capability, you can configure terms of use and privacy policy URLs for each app client in your Cognito user pool. When users register, they see text indicating that by signing up, they agree to your terms of use and privacy policy, and a link to your webpage with the agreement. You can configure different URLs for each https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization to match your Managed Login localization settings. For example, if you have configured the privacy policy and terms of use documents for French (fr) and the same is selected in the lang query-parameter on the sign-up page URL, users will see the French URL you configured. This capability is available to Amazon Cognito customers using the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents and https://aws.amazon.com/cognito/pricing/ for Cognito Essentials and Plus tier.

Amazon Cognito launches new user pool feature tiers: Essentials and Plus. The Essentials tier offers comprehensive and flexible user authentication and access control features, allowing customers to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. It supports password-based log-in, multi-factor authentication (email, SMS, TOTP), and log-in with social identity providers, along with recently announced Managed Login and passwordless log-in (passkeys, email, SMS) features. Essentials also supports customizing access tokens and disallowing password reuse. The Plus tier is geared toward customers with elevated security needs for their applications by offering threat protection capabilities against suspicious log-ins. Plus includes all Essentials features and additionally supports risk-based adaptive authentication, compromised credentials detection, and exporting user authentication event logs to analyze threat signals. Essentials will be the default tier for new users pools created by customers. Customers also have the flexibility to switch between all available tiers anytime based on their application needs. For existing user pools, customers can enable the new tiers or continue using their current user pool configurations without making any changes. Customers using advanced security features (ASF) in Amazon Cognito should consider the Plus tier, which includes all ASF capabilities, additional capabilities such as passwordless log-in, and up to 60% savings compared to using ASF. The Essentials and Plus tiers are available at new pricing. Essentials and Plus are available in all AWS Regions where Amazon Cognito is available except AWS GovCloud (US) Regions. To learn more, refer to: AWS News Blog Documentation

Amazon Cognito introduces AWS Web Application Firewall (AWS WAF) support in Cognito Managed Login. This new capability allows customers to protect their Managed Login endpoints configured in Cognito user pools from unwanted or malicious requests and web-based attacks. Managed Login, a fully-managed, hosted sign-in and sign-up experience that customers can personalize to align with their company or application branding, now offers an additional layer of protection against threat vectors through integration with AWS WAF web access control lists (web ACLs). This integration provides customers with powerful new capabilities to safeguard their applications against malicious attacks. With AWS WAF support, you can now define rules that enforce rate limits, gain visibility into web traffic to your applications, and allow or block traffic to Cognito Managed Login based on your specific business or security requirements. Additionally, the AWS WAF integration enables you to optimize costs by controlling bot traffic to your Cognito user pools. Managed Login and WAF support in Managed Login are offered as part of the Cognito Essentials and Plus tiers and are available in all AWS Regions where Amazon Cognito is available. Please note that AWS WAF charges apply for the inspection of user pool requests. For more information, see https://aws.amazon.com/waf/pricing/. To learn more, see Using https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html, and to get started, visit the https://console.aws.amazon.com/cognito/home.  

Amazon Cognito now allows you to include additional contextual information in the OAuth 2.0 client credentials flow for M2M access token requests, enhancing your control over machine-based interactions. M2M authorization is commonly used for automated processes like data synchronization, event-driven workflows, and microservice communication. This capability enables customers to provide context-specific details (e.g., attributes of the machine such as IP address, location, environment; or business context like application name, tenant ID etc.) when requesting access tokens for machine-based interactions. For example, consider an organization's internal API service that needs different access patterns across development and production environments. Using ClientMetadata, you can now specify {"environment": "dev"} or {"environment": "prod"} when requesting access tokens. With Cognito's support for pre-token generation Lambda triggers, you can process this context to customize token scopes (e.g., api:read_all, api:write_restricted) and add environment-specific claims like rate limits. The API can then examine these scopes and claims to enforce appropriate access controls and rate limiting. Without ClientMetadata parameter, customers would often need separate app clients (e.g., 'internal-api-dev, 'internal-api-prod') to express contextual information, causing app client sprawl. Now, a single M2M app client can include contextual metadata with each request, reducing the need for multiple app clients, optimizing app client cost while providing context-aware authorization. This capability is available to Amazon Cognito customers using the Essentials or Plus tiers in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to this developer guide and the Pricing Detail Page for M2M authorization flows pricing.

Amazon Cognito now allows customers to customize access tokens for M2M flows, enabling you to implement fine-grained authorization in your applications, APIs, and workloads. M2M authorization is commonly used for automated processes such as scheduled data synchronization tasks, event-driven workflows, microservices communication, or real-time data streaming between systems. In M2M authorization flows, an app client can represent a software system or service that can request access tokens to interact with resources, such as a reporting system or a data processing service. With this launch, customers can now customize their access tokens with custom claims (attributes about the app client) and scopes (level of access that an app client can request to a resource), making it easier to control and manage how their automated systems interact with each other. Customers can now add custom attributes directly in access tokens, reducing the complexity of authorization logic needed in their application code. For example, customers can customize access tokens with claims that allow an app client for a reporting system to only read data while allowing an app client for a data processing service to both read and modify data. This allows customers to streamline authentication by embedding custom authorization attributes directly into access tokens during the token issuance process. Access token customization for M2M authorization is available to Amazon Cognito customers using https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html tiers in all AWS Regions where Cognito is available, except the AWS GovCloud (US) Regions. To learn more, refer to the https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.  

Amazon Cognito announces support for OAuth 2.0 refresh token rotation for user pool clients. Refresh tokens are long-lived tokens that allow applications to obtain new access tokens without requiring users to sign in again. With refresh token rotation, you can now configure your user pool clients to automatically replace existing refresh tokens with new ones at regular intervals, which in turn can strengthen your application's security posture. Instead of previously relying on tokens that remain valid for long periods of time, refresh token rotation reduces the window a compromised refresh token could be used. In addition, refresh token rotates automatically in the background allowing your users maintain uninterrupted access without needing to re-authenticate. In absence of refresh token rotation, customers previously had to choose between long-lived tokens for minimizing user friction caused by re-authentication or short-lived tokens for better protection against risks from compromised tokens. Now, with refresh token rotation, customers can achieve seamless user experience while strengthening their application's security posture by automatically updating user's refresh tokens. For example, in a collaboration app, while users remain logged in for their 30-day session, their refresh tokens can be updated every few hours upon exchanging for new access and ID tokens, limiting the exposure window of any single token. This feature is available to Amazon Cognito customers using the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, visit the https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html.  

Discover how to build a scalable, secure multi-tenant SaaS architecture on AWS using best practices, cloud-native tools, and proven design patterns.

Amazon Cognito introduces Managed Login in the AWS GovCloud (US) Regions, a fully-managed, hosted sign-in and sign-up experience that customers can personalize to align with their company or application branding. Amazon Cognito provides millions of users with secure, scalable, and customizable sign-up and sign-in experiences. With Managed Login, Cognito customers can now use its no-code visual editor to customize the look and feel of the user journey from signup and login to password recovery and multi-factor authentication. Managed Login helps customers offload the undifferentiated heavy lifting of designing and maintaining custom implementations such as passwordless authentication and localization. For example, Managed Login offers pre-built integrations for passwordless login, including sign-in with passkeys, email, or text message. This provides customers the flexibility to implement low-friction and secure authentication methods without the need to author custom code. With Managed Login, customers now design and manage their end-user sign-up and sign-in experience through the AWS Management Console. Additionally, Cognito has also revamped its getting started experience with application-specific (e.g., for web applications) guidance for customers to swiftly configure their user pools. Together with Managed Login and a simplified getting started experience, customers can now get their applications to end users faster than ever before with Amazon Cognito. Managed Login is offered as part of the Cognito Essentials tier and can be used in all AWS Regions where Amazon Cognito is available, including the AWS GovCloud (US) Regions. To get started, refer to: Pricing Detail Page AWS News Blog Developer Guide

Amazon Cognito user pools now supports AWS PrivateLink for secure and private connectivity. With AWS PrivateLink, you can establish a private connection between your virtual private cloud (VPC) and Amazon Cognito user pools to configure, manage, and authenticate against your Cognito user pools without using the public internet. By enabling private network connectivity, this enhancement eliminates the need to use public IP addresses or relying solely on firewall rules to access Cognito. This feature supports user pool management operations (e.g., list user pools, describe user pools), administrative operations (e.g., admin-created users), and user authentication flows (sign in local users stored in Cognito). OAuth 2.0 authorization code flow (Cognito managed login, hosted UI, sign-in via social identity providers), client credentials flow (Cognito machine-to-machine authorization), and federated sign-ins via SAML and OIDC standards are not supported through VPC endpoints at this time. You can use PrivateLink connections in all AWS Regions where Amazon Cognito user pools is available, except AWS GovCloud (US) Regions. Creating VPC endpoints on AWS PrivateLink will incur additional charges; refer to AWS PrivateLink pricing page for details. You can get started by creating an AWS PrivateLink interface endpoint for Amazon Cognito user pools using the AWS Management Console, AWS Command Line Interface (CLI), AWS Software Development Kits (SDKs), AWS Cloud Development Kit (CDK), or AWS CloudFormation. To learn more, refer to the documentation on creating an interface VPC endpoint and Amazon Cognito’s developer guide.

Amazon Cognito now allows you to secure user access to your applications with passwordless authentication, including sign-in with passkeys, email, and text message. Passkeys are based on FIDO standards and use public key cryptography, which enables strong, phishing-resistant authentication. With passwordless authentication, you can reduce the friction associated with traditional password-based authentication and thus simplify the user log-in experience for their applications. For example, if your users choose to use passkeys to log in, they can do so using a built-in authenticator, such as Touch ID on Apple MacBooks and Windows Hello facial recognition on PCs. Amazon Cognito provides millions of users with secure, scalable, and customizable sign-up and sign-in experiences within minutes. With this launch, AWS is now extending the support for passwordless authentication to the applications you build. This enables your end-users to log in to your applications with a low-friction and secure approach. Passwordless authentication is offered as part of the Cognito Essentials tier and can be used in all AWS Regions where Amazon Cognito is available except the AWS GovCloud (US) Regions. To get started, see the following resources: https://aws.amazon.com/cognito/pricing/ https://aws.amazon.com/blogs/aws/improve-your-app-authentication-workflow-with-new-amazon-cognito-features https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html

Amazon Cognito now allows you to secure user access to your applications with passwordless authentication, including sign-in with passkeys, email, and text message. Passkeys are based on FIDO standards and use public key cryptography, which enables strong, phishing-resistant authentication. With passwordless authentication, you can reduce the friction associated with traditional password-based authentication and thus simplify the user log-in experience for their applications. For example, if your users choose to use passkeys to log in, they can do so using a built-in authenticator, such as Touch ID on Apple MacBooks and Windows Hello facial recognition on PCs. Amazon Cognito provides millions of users with secure, scalable, and customizable sign-up and sign-in experiences within minutes. With this launch, AWS is now extending the support for passwordless authentication to the applications you build. This enables your end-users to log in to your applications with a low-friction and secure approach. Passwordless authentication is offered as part of the Cognito Essentials tier and can be used in all AWS Regions where Amazon Cognito is available except the AWS GovCloud (US) Regions. To get started, see the following resources: Pricing Detail Page AWS News Blog Developer Guide

As the weather improves in the Northern hemisphere, there are more opportunities to learn and connect. This week, I’ll be in San Francisco, and we can meet at the Nova Networking Night at the AWS GenAI Loft where we’ll dive into the world of Amazon Nova foundation models (FMs) with live demos and real-world implementations. […]

Amazon Cognito now allows you to include additional contextual information in the OAuth 2.0 client credentials flow for M2M access token requests, enhancing your control over machine-based interactions. M2M authorization is commonly used for automated processes like data synchronization, event-driven workflows, and microservice communication. This capability enables customers to provide context-specific details (e.g., attributes of the machine such as IP address, location, environment; or business context like application name, tenant ID etc.) when requesting access tokens for machine-based interactions. For example, consider an organization's internal API service that needs different access patterns across development and production environments. Using ClientMetadata, you can now specify {"environment": "dev"} or {"environment": "prod"} when requesting access tokens. With Cognito's support for https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html, you can process this context to customize token scopes (e.g., api:read_all, api:write_restricted) and add environment-specific claims like rate limits. The API can then examine these scopes and claims to enforce appropriate access controls and rate limiting. Without ClientMetadata parameter, customers would often need separate app clients (e.g., 'internal-api-dev, 'internal-api-prod') to express contextual information, causing app client sprawl. Now, a single M2M app client can include contextual metadata with each request, reducing the need for multiple app clients, optimizing app client cost while providing context-aware authorization. This capability is available to Amazon Cognito customers using the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to this https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html and the https://aws.amazon.com/cognito/pricing/ for M2M authorization flows pricing.  

Amazon Cognito now allows you to configure terms of use and privacy policy documents for https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html pages. This helps customers seamlessly present legal terms during user registration while simplifying implementation. With Managed Login, Cognito customers could previously use its no-code editor to customize the user journey from signup and login to password recovery and multi-factor authentication. Now, customers can additionally use Managed Login to easily set up terms of use and privacy policy documents, saving development teams from building custom solutions. With this capability, you can configure terms of use and privacy policy URLs for each app client in your Cognito user pool. When users register, they see text indicating that by signing up, they agree to your terms of use and privacy policy, and a link to your webpage with the agreement. You can configure different URLs for each https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization to match your Managed Login localization settings. For example, if you have configured the privacy policy and terms of use documents for French (fr) and the same is selected in the lang query-parameter on the sign-up page URL, users will see the French URL you configured. This capability is available to Amazon Cognito customers using the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to the https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents and https://aws.amazon.com/cognito/pricing/ for Cognito Essentials and Plus tier.

Amazon Cognito launches new user pool feature tiers, Essentials and Plus, in the AWS GovCloud (US) Regions. The Essentials tier offers comprehensive and flexible user authentication and access control features, allowing customers to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. It supports password-based log-in, multi-factor authentication (email, SMS, TOTP), and log-in with social identity providers, along with recently announced Managed Login and passwordless log-in (passkeys, email, SMS) features. Essentials also supports customizing access tokens and disallowing password reuse. The Plus tier is geared toward customers with elevated security needs for their applications by offering threat protection capabilities against suspicious log-ins. Plus includes all Essentials features and additionally supports risk-based adaptive authentication, compromised credentials detection, and exporting user authentication event logs to analyze threat signals. Essentials will be the default tier for new users pools created by customers. Customers also have the flexibility to switch between all available tiers anytime based on their application needs. For existing user pools, customers can enable the new tiers or continue using their current user pool configurations without making any changes. The Essentials and Plus tiers are available at new pricing. Essentials and Plus are available in all AWS Regions where Amazon Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to: AWS News Blog Documentation

Amazon Web Services (AWS) announces the general availability of the AWS Cloud Development Kit (AWS CDK) L2 construct for Amazon Cognito Identity Pools. This library enables developers to programmatically define and deploy Identity Pool resources using familiar programming languages, making it easier to grant users secure access to AWS services in their applications. With this construct library, you can define Identity Pools as infrastructure as code, configure authentication providers like Amazon Cognito User Pools, social identity providers (Facebook, Google, Apple, Amazon), and SAML 2.0 providers. The library helps you implement security best practices by default and reduces the complexity of managing authentication and authorization for your web and mobile applications. The AWS CDK construct library for Amazon Cognito Identity Pools is available in all AWS Regions where Amazon Cognito is available. To get started, visit the following resources: Amazon Cognito Identity Pools documentation AWS CDK API Reference

Identity management revamped: Amazon Cognito unveils customizable login flows, passwordless options, and tiered pricing for tailored authentication experiences.

Amazon Cognito now enables app clients to specify resource indicators during access token requests as part of its OAuth 2.0 authorization code grant and implicit grant flows. The resource indicator identifies the protected resource, such as a user’s bank account record or a specific file in a file server that the user needs to access. After authenticating the client, Cognito then issues an access token for that specific resource. This ensures that access tokens can be limited from broad service level access down to accessing specific individual resources. This capability makes it simpler to protect resources that a user needs to access. For example, agents (an example of app clients) on behalf of users can request access tokens for specific protected resources, such as a user’s banking records. After validation, Cognito issues an access token with the audience claim set to the specific resource. Previously, clients had to use non-standard claims or scopes for Cognito to infer and issue resource-specific access tokens. Now, customers can specify the target resource in a simple and consistent way using standards-based resource parameter. This capability is available to Amazon Cognito Managed Login customers using Essentials or Plus tiers in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to the developer guide, and pricing for Cognito Essentials and Plus tier.

Amazon Cognito is now available in the AWS GovCloud (US-East) Region. This launch introduces all Amazon Cognito features and tiers: Essentials, Lite, and Plus, allowing customers to use comprehensive and flexible authentication and access control features to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. Cognito allows customers to scale authentication to millions of users and supports sign-in with social identity providers such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via standards such as SAML 2.0 and OpenID Connect. For a full list of regions where Amazon Cognito is available, refer to the https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/. To learn more about Amazon Cognito, refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html https://aws.amazon.com/cognito/ https://aws.amazon.com/cognito/pricing/

Today we’re excited to announce Research and Engineering Studio (RES) on AWS Version 2024.12. This release makes it possible to configure your Active Directory (AD) dynamically at runtime, allows Amazon Cognito users to launch Linux virtual desktops, and gives administrators the option to configure SSH access to virtual desktop infrastructure (VDI). RES administrators can now manage AD parameters and enable Cognito users through the RES UI in the new Identity Management page. AD parameters that were once required when deploying RES are now optional and can be changed at any time after deployment. Admins can also add LDAP filters for users and groups to be more targeted about what AD identities get synced to RES. Cognito can now be used as an identity source and login method to either augment or replace the existing Active Directory and Single Sign-On (SSO) authentication. Cognito users can access Linux VDI sessions in the RES environment just like users that access the environment through SSO. Add Cognito users to RES by manually adding them to the RES Cognito User Pool or activating user self registration from the RES UI. This release also gives administrators control over SSH access in the RES environment. SSH access to VDI sessions is now deactivated by default and can be reactivated at any time from the Permission Policy page. See the https://docs.aws.amazon.com/res/latest/ug/plan-your-deployment.html#plan-your-deployment-supported-aws-regions for the list of regions where RES is available. Check out additional https://github.com/aws/res/releases on Github to get started and deploy RES 2024.12.

Learn to implement OAuth2 scope-based authorization using Amazon Verified Permissions and Cognito for fine-grained machine-to-machine API access control.

Summit season is in full throttle! If you haven’t been to an AWS Summit, I highly recommend you check one out that’s nearby. They are large-scale all-day events where you can attend talks, watch interesting demos and activities, connect with AWS and industry people, and more. Best of all, they are free—so all you need […]

Amazon Cognito is now available in the AWS Asia Pacific (Malaysia) Region. This launch introduces all Amazon Cognito features and tiers: Essentials, Lite, and Plus, allowing customers to use comprehensive and flexible authentication and access control features to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. Cognito allows customers to scale authentication to millions of users and supports sign-in with social identity providers such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via standards such as SAML 2.0 and OpenID Connect. For a full list of regions where Amazon Cognito is available, refer to the AWS Region Table. To learn more about Amazon Cognito, refer to: Developer Guide Product Detail Page Pricing Detail Page