AWS Cognito Tutorial
AWS Cognito Tutorial
1. Creating and Configuring an AWS Cognito User Pool
Example 1: Create a Cognito User Pool
aws cognito-idp create-user-pool --pool-name MyUserPool
Explanation
Creates a new Cognito user pool for authentication.
aws cognito-idp create-user-pool
Specifies a unique name for the user pool.
--pool-name MyUserPool
Stores and manages users securely in AWS Cognito.
create-user-pool
User pool supports authentication, authorization, and identity federation.
create-user-pool
Example 2: Get Details of a User Pool
aws cognito-idp describe-user-pool --user-pool-id us-east-1_example123
Explanation
Retrieves details about a specific user pool.
aws cognito-idp describe-user-pool
Requires the user pool ID for identification.
--user-pool-id us-east-1_example123
Provides metadata like pool name, status, and creation date.
describe-user-pool
Useful for checking configurations and debugging issues.
describe-user-pool
Example 3: List All User Pools
aws cognito-idp list-user-pools --max-results 10
Explanation
Lists all available user pools in an AWS account.
aws cognito-idp list-user-pools
Limits results to a maximum of 10 pools per request.
--max-results 10
Useful for managing multiple authentication systems.
list-user-pools
Returns user pool names and IDs in JSON format.
list-user-pools
Example 4: Delete a User Pool
aws cognito-idp delete-user-pool --user-pool-id us-east-1_example123
Explanation
Deletes an existing Cognito user pool permanently.
aws cognito-idp delete-user-pool
Requires a valid user pool ID.
--user-pool-id us-east-1_example123
Removes all stored users and configurations.
delete-user-pool
Cannot be undone once deleted.
delete-user-pool
2. Managing Users in AWS Cognito
Example 1: Create a New User
aws cognito-idp admin-create-user --user-pool-id us-east-1_example123 --username newuser --temporary-password TempPass123!
Explanation
Adds a new user to the Cognito user pool.
aws cognito-idp admin-create-user
Requires a unique username for the new user.
--username newuser
Sets an initial temporary password for login.
--temporary-password TempPass123!
User must reset password upon first login.
admin-create-user
Example 2: Authenticate a User
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id exampleclientid --auth-parameters USERNAME=newuser,PASSWORD=TempPass123!
Explanation
Initiates authentication for a user in Cognito.
aws cognito-idp initiate-auth
Uses
USER_PASSWORD_AUTHauthentication flow.--auth-flow USER_PASSWORD_AUTH
Requires Cognito app client ID for authentication.
--client-id exampleclientid
Provides user credentials (
USERNAME,PASSWORD) for login.--auth-parameters USERNAME=newuser,PASSWORD=TempPass123!
Example 3: List Users in a User Pool
aws cognito-idp list-users --user-pool-id us-east-1_example123
Explanation
Retrieves all registered users in a user pool.
aws cognito-idp list-users
Requires a user pool ID to query users.
--user-pool-id us-east-1_example123
Returns user attributes such as email, status, and creation date.
list-users
Useful for user management and audit purposes.
list-users
Example 4: Delete a User
aws cognito-idp admin-delete-user --user-pool-id us-east-1_example123 --username newuser
Explanation
Removes a specific user from Cognito permanently.
aws cognito-idp admin-delete-user
Requires the user pool ID for identification.
--user-pool-id us-east-1_example123
Specifies the username of the user to delete.
--username newuser
Prevents the deleted user from accessing services.
admin-delete-user
3. Configuring Multi-Factor Authentication (MFA)
Example 1: Enable MFA for a User Pool
aws cognito-idp set-user-pool-mfa-config --user-pool-id us-east-1_example123 --mfa-configuration ON
Explanation
Enforces Multi-Factor Authentication (MFA) for users.
aws cognito-idp set-user-pool-mfa-config
Requires a valid user pool ID.
--user-pool-id us-east-1_example123
Sets MFA to
ONfor security enhancement.--mfa-configuration ON
Users must verify identity using additional authentication factors.
set-user-pool-mfa-config
Example 2: Associate a Phone Number for MFA
aws cognito-idp admin-update-user-attributes --user-pool-id us-east-1_example123 --username newuser --user-attributes Name=phone_number,Value="+1234567890"
Explanation
Adds a phone number for SMS-based MFA verification.
aws cognito-idp admin-update-user-attributes
Requires a valid user pool ID and username.
--user-pool-id us-east-1_example123 --username newuser
Associates a phone number with the user account.
--user-attributes Name=phone_number,Value="+1234567890"
Users receive a verification code during authentication.
admin-update-user-attributes
Example 3: Generate an MFA Code for Authentication
aws cognito-idp associate-software-token --session example-session-token
Explanation
Generates a one-time authentication token for MFA.
aws cognito-idp associate-software-token
Requires an active session token.
--session example-session-token
Used in conjunction with TOTP-based authentication apps.
associate-software-token
Ensures enhanced security during login.
associate-software-token
Example 4: Verify an MFA Token
aws cognito-idp verify-software-token --session example-session-token --user-code 123456
Explanation
Validates a user's one-time MFA code.
aws cognito-idp verify-software-token
Requires a session token for verification.
--session example-session-token
Takes a user-generated code from their MFA device.
--user-code 123456
Allows authentication only if the code is valid.
verify-software-token