Learn how to balance the competing demands of authentication security and user experience in today’s digital landscape, where customers expect frictionless interactions while businesses require strong fraud prevention. This post covers the integration between Amazon Cognito and Authsignal, showcasing how they work together to create adaptive authentication experiences that respond to user context and business needs.

Amazon Cognito launches new user pool feature tiers: Essentials and Plus. The Essentials tier offers comprehensive and flexible user authentication and access control features, allowing customers to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. It supports password-based log-in, multi-factor authentication (email, SMS, TOTP), and log-in with social identity providers, along with recently announced Managed Login and passwordless log-in (passkeys, email, SMS) features. Essentials also supports customizing access tokens and disallowing password reuse. The Plus tier is geared toward customers with elevated security needs for their applications by offering threat protection capabilities against suspicious log-ins. Plus includes all Essentials features and additionally supports risk-based adaptive authentication, compromised credentials detection, and exporting user authentication event logs to analyze threat signals. Essentials will be the default tier for new users pools created by customers. Customers also have the flexibility to switch between all available tiers anytime based on their application needs. For existing user pools, customers can enable the new tiers or continue using their current user pool configurations without making any changes. Customers using advanced security features (ASF) in Amazon Cognito should consider the Plus tier, which includes all ASF capabilities, additional capabilities such as passwordless log-in, and up to 60% savings compared to using ASF. The Essentials and Plus tiers are available at new pricing. Essentials and Plus are available in all AWS Regions where Amazon Cognito is available except AWS GovCloud (US) Regions. To learn more, refer to: AWS News Blog Documentation

こんにちは。 アプリケーションサービス部、DevOps担当の兼安です。 本記事はこちらの記事の続きです。 blog.serverworks.co.jp 今回はAmazon Cognito ユーザープールとアプリのデータベース（以下、それぞれCognito、DBと記述）を同期する方法を説明します。 本記事のターゲット 今回の題材 Amazon Cognito ユーザープールとアプリケーションのデータ...

October 8, 2025: This blog post has been updated to include the Amazon Cognito managed login experience. The managed login experience has an updated look, additional features, and enhanced customization options. September 8, 2023: It’s important to know that if you activate user sign-up in your user pool, anyone on the internet can sign up [...]

Ulili Nhaga contributed to this article. When building applications, ensuring proper security and access control is crucial. One way to achieve this is by implementing a Role-Based Access Control (RBAC) authorization system. This blog post will discuss implementing RBAC for .NET applications using Amazon Cognito with OpenID Connect (OIDC). We will guide you on how [...]

Discover more about what's new at AWS with Amazon Cognito introduces Managed Login to support rich branding for end user journeys

AWS HealthImaging now supports OAuth 2.0-compatible identity providers for authentication of DICOMweb requests using OpenID Connect (OIDC). With OIDC authentication, you can manage secure access to DICOM resources using your organization’s standard procedures for creating, enabling, and disabling user accounts. With this launch, you can now use existing identity providers (IdPs)—such as Amazon Cognito, Okta, or Auth0—to issue JSON Web Tokens (JWTs) that authorize secure access to your DICOMweb endpoints. This launch makes it simpler to integrate AWS HealthImaging into existing medical imaging applications and expands HealthImaging’s support of DICOMweb standard interfaces that rely on OAuth 2.0-compatible authentication. Support for OIDC is limited to DICOMweb REST API requests. HealthImaging includes native support for AWS Identity and Access Management (IAM) users and roles for authentication of all API requests. Support for OpenID Connect (OIDC) is available in all AWS Regions where AWS HealthImaging is generally available: US East (N. Virginia), US West (Oregon), Asia Pacific (Sydney), and Europe (Ireland). To learn more, visit Using DICOMweb with AWS HealthImaging.

https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-cognito-terms-use-privacy-policy-documents-managed-login/ https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents

An end-to-end AI Image Editing Tool built on AWS that allows users to edit images using natural language prompts. The solution leverages Amazon Bedrock (Titan Image Model), API Gateway, Lambda, Cognito authentication, and a lightweight web frontend deployed with AWS Amplify.

Amazon Cognito introduces AWS Web Application Firewall (AWS WAF) support in Cognito Managed Login. This new capability allows customers to protect their Managed Login endpoints configured in Cognito user pools from unwanted or malicious requests and web-based attacks. Managed Login, a fully-managed, hosted sign-in and sign-up experience that customers can personalize to align with their company or application branding, now offers an additional layer of protection against threat vectors through integration with AWS WAF web access control lists (web ACLs). This integration provides customers with powerful new capabilities to safeguard their applications against malicious attacks. With AWS WAF support, you can now define rules that enforce rate limits, gain visibility into web traffic to your applications, and allow or block traffic to Cognito Managed Login based on your specific business or security requirements. Additionally, the AWS WAF integration enables you to optimize costs by controlling bot traffic to your Cognito user pools. Managed Login and WAF support in Managed Login are offered as part of the Cognito Essentials and Plus tiers and are available in all AWS Regions where Amazon Cognito is available. Please note that AWS WAF charges apply for the inspection of user pool requests. For more information, see https://aws.amazon.com/waf/pricing/. To learn more, see Using https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html, and to get started, visit the https://console.aws.amazon.com/cognito/home.  

Amazon Cognito now allows you to include additional contextual information in the OAuth 2.0 client credentials flow for M2M access token requests, enhancing your control over machine-based interactions. M2M authorization is commonly used for automated processes like data synchronization, event-driven workflows, and microservice communication. This capability enables customers to provide context-specific details (e.g., attributes of the machine such as IP address, location, environment; or business context like application name, tenant ID etc.) when requesting access tokens for machine-based interactions. For example, consider an organization's internal API service that needs different access patterns across development and production environments. Using ClientMetadata, you can now specify {"environment": "dev"} or {"environment": "prod"} when requesting access tokens. With Cognito's support for pre-token generation Lambda triggers, you can process this context to customize token scopes (e.g., api:read_all, api:write_restricted) and add environment-specific claims like rate limits. The API can then examine these scopes and claims to enforce appropriate access controls and rate limiting. Without ClientMetadata parameter, customers would often need separate app clients (e.g., 'internal-api-dev, 'internal-api-prod') to express contextual information, causing app client sprawl. Now, a single M2M app client can include contextual metadata with each request, reducing the need for multiple app clients, optimizing app client cost while providing context-aware authorization. This capability is available to Amazon Cognito customers using the Essentials or Plus tiers in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to this developer guide and the Pricing Detail Page for M2M authorization flows pricing.

Discover more about what's new at AWS with Amazon Cognito now supports refresh token rotation

AWS introduces a new L2 Construct for Amazon Cognito Identity Pools in AWS CDK, simplifying identity management by providing intent-based APIs for creating and configuring identity pools with reduced complexity.

Amazon Cognito now allows customers to customize access tokens for M2M flows, enabling you to implement fine-grained authorization in your applications, APIs, and workloads. M2M authorization is commonly used for automated processes such as scheduled data synchronization tasks, event-driven workflows, microservices communication, or real-time data streaming between systems. In M2M authorization flows, an app client can represent a software system or service that can request access tokens to interact with resources, such as a reporting system or a data processing service. With this launch, customers can now customize their access tokens with custom claims (attributes about the app client) and scopes (level of access that an app client can request to a resource), making it easier to control and manage how their automated systems interact with each other. Customers can now add custom attributes directly in access tokens, reducing the complexity of authorization logic needed in their application code. For example, customers can customize access tokens with claims that allow an app client for a reporting system to only read data while allowing an app client for a data processing service to both read and modify data. This allows customers to streamline authentication by embedding custom authorization attributes directly into access tokens during the token issuance process. Access token customization for M2M authorization is available to Amazon Cognito customers using https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html tiers in all AWS Regions where Cognito is available, except the AWS GovCloud (US) Regions. To learn more, refer to the https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.  

みなさん、こんにちは！プロダクト開発部の西原です。 現在、製薬企業向けに提供しているヘルスビッグデータの分析を行うプロダクトであるJMDC Data Martのバックエンドの開発を担当しています。 プロダクト開発している中で、Go言語でAmazon Cognitoを使った認証を実装しました。今回は基本的な実装方法をぜひ共有させていただければと存じます。 Amazon Cognitoとは Amazon Cognito（以下、Cognito）は、ウェブおよびモバイルアプリケーション向けのユーザー認証とアクセス管理を提供するAWSのサービスです。これにより、ユーザーはアプリケーションに対して簡単にサ…