# What is Amazon Cognito?


Amazon Cognito is an identity platform for web and mobile apps. It’s a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials. With Amazon Cognito, you can authenticate and authorize users from the built-in user directory, from your enterprise directory, and from consumer identity providers like Google and Facebook.

**Topics**
+ [

## User pools
](#what-is-amazon-cognito-user-pools)
+ [

## Identity pools
](#what-is-amazon-cognito-identity-pools)
+ [

## Features of Amazon Cognito
](#what-is-amazon-cognito-features)
+ [

## Amazon Cognito user pools and identity pools comparison
](#what-is-amazon-cognito-features-comparison)
+ [

## Getting started with Amazon Cognito
](#getting-started-overview)
+ [

## Regional availability
](#getting-started-regional-availability)
+ [

## Pricing for Amazon Cognito
](#pricing-for-amazon-cognito)
+ [

# Common Amazon Cognito terms and concepts
](cognito-terms.md)
+ [

# Getting started with AWS
](cognito-getting-started-account-iam.md)

The two components that follow make up Amazon Cognito. They operate independently or in tandem, based on your access needs for your users.

## User pools


![\[Amazon Cognito user pool authentication flow with app, identity provider, and API/Database.\]](http://docs.aws.amazon.com/cognito/latest/developerguide/images/user-pools-overview.png)


Create a user pool when you want to authenticate and authorize users to your app or API. User pools are a user directory with both self-service and administrator-driven user creation, management, and authentication. Your user pool can be an independent directory and OIDC identity provider (IdP), and an intermediate service provider (SP) to third-party providers of workforce and customer identities. You can provide single sign-on (SSO) in your app for your organization's workforce identities in SAML 2.0 and OIDC IdPs with user pools. You can also provide SSO in your app for your organization's customer identities in the public OAuth 2.0 identity stores Amazon, Google, Apple and Facebook. For more information about customer identity and access management (CIAM), see [What is CIAM?](https://aws.amazon.com/what-is/ciam/).

User pools don’t require integration with an identity pool. From a user pool, you can issue authenticated JSON web tokens (JWTs) directly to an app, a web server, or an API.

## Identity pools


![\[Diagram showing Amazon Cognito federated identities flow between app, identity pool, provider, and STS.\]](http://docs.aws.amazon.com/cognito/latest/developerguide/images/identity-pools-overview.png)


Set up an Amazon Cognito identity pool when you want to authorize authenticated or anonymous users to access your AWS resources. An identity pool issues AWS credentials for your app to serve resources to users. You can authenticate users with a trusted identity provider, like a user pool or a SAML 2.0 service. It can also optionally issue credentials for guest users. Identity pools use both role-based and attribute-based access control to manage your users’ authorization to access your AWS resources.

Identity pools don’t require integration with a user pool. An identity pool can accept authenticated claims directly from both workforce and consumer identity providers.

**An Amazon Cognito user pool and identity pool used together**

In the diagram that begins this topic, you use Amazon Cognito to authenticate your user and then grant them access to an AWS service.

1. Your app user signs in through a user pool and receives OAuth 2.0 tokens.

1. Your app exchanges a user pool token with an identity pool for temporary AWS credentials that you can use with AWS APIs and the AWS Command Line Interface (AWS CLI).

1. Your app assigns the credentials session to your user, and delivers authorized access to AWS services like Amazon S3 and Amazon DynamoDB.

For more examples that use identity pools and user pools, see [Common Amazon Cognito scenarios](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html).

In Amazon Cognito, the *security of the cloud* obligation of the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) is compliant with SOC 1-3, PCI DSS, ISO 27001, and is HIPAA-BAA eligible. You can design your *security in the cloud* in Amazon Cognito to be compliant with SOC1-3, ISO 27001, and HIPAA-BAA, but not PCI DSS. For more information, see [AWS services in scope](http://aws.amazon.com/compliance/services-in-scope/). See also [Regional data considerations](https://docs.aws.amazon.com/cognito/latest/developerguide/security-cognito-regional-data-considerations.html).

## Features of Amazon Cognito


### User pools


An Amazon Cognito user pool is a user directory. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party IdP. Federated and local users have a user profile in your user pool. 

Local users are those who signed up or you created directly in your user pool. You can manage and customize these user profiles in the AWS Management Console, an AWS SDK, or the AWS Command Line Interface (AWS CLI). 

Amazon Cognito user pools accept tokens and assertions from third-party IdPs, and collect the user attributes into a JWT that it issues to your app. You can standardize your app on one set of JWTs while Amazon Cognito handles the interactions with IdPs, mapping their claims to a central token format.

An Amazon Cognito user pool can be a standalone IdP. Amazon Cognito draws from the OpenID Connect (OIDC) standard to generate JWTs for authentication and authorization. When you sign in local users, your user pool is authoritative for those users. You have access to the following features when you authenticate local users.
+ Implement your own web front-end that calls the Amazon Cognito user pools API to authenticate, authorize, and manage your users.
+ Set up multi-factor authentication (MFA) for your users. Amazon Cognito supports time-based one-time password (TOTP) and SMS message MFA.
+ Secure against access from user accounts that are under malicious control.
+ Create your own custom multi-step authentication flows.
+ Look up users in another directory and migrate them to Amazon Cognito.

An Amazon Cognito user pool can also fulfill a dual role as a service provider (SP) to your IdPs, and an IdP to your app. Amazon Cognito user pools can connect to consumer IdPs like Facebook and Google, or workforce IdPs like Okta and Active Directory Federation Services (ADFS).

With the OAuth 2.0 and OpenID Connect (OIDC) tokens that an Amazon Cognito user pool issues, you can
+ Accept an ID token in your app that authenticates a user, and provides the information that you need to set up the user’s profile
+ Accept an access token in your API with the OIDC scopes that authorize your users’ API calls.
+ Retrieve AWS credentials from an Amazon Cognito identity pool.


| 
| 
| Feature | Description | 
| --- |--- |
| OIDC identity provider | Issue ID tokens to authenticate users | 
| Authorization server | Issue access tokens to authorize user access to APIs | 
| SAML 2.0 service provider | Transform SAML assertions into ID and access tokens | 
| OIDC relying party | Transform OIDC tokens into ID and access tokens | 
| Social provider relying party | Transform ID tokens from Apple, Facebook, Amazon, or Google to your own ID and access tokens | 
| Authentication frontend service | Sign up, manage, and authenticate users with managed login | 
| API support for your own UI | Create, manage and authenticate users through authentication API requests in supported AWS SDKs¹ | 
| Multi-factor authentication | Use SMS messages, TOTPs, or your user's device as an additional authentication factor¹ | 
| Security monitoring & response | Secure against malicious activity and insecure passwords¹ | 
| Customize authentication flows | Build your own authentication mechanism, or add custom steps to existing flows² | 
| Groups | Create logical groupings of users, and a hierarchy of IAM role claims when you pass tokens to identity pools | 
| Customize tokens | Customize your ID and access tokens with new, modified, and suppressed claims | 
| Customize user attributes | Assign values to user attributes and add your own custom attributes | 

¹ Feature is unavailable to federated users.

² Feature is unavailable to federated and managed login users.

For more information about user pools, see [Getting started with user pools](getting-started-user-pools.md) and the [Amazon Cognito user pools API reference](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/).

### Identity pools


An identity pool is a collection of unique identifiers, or identities, that you assign to your users or guests and authorize to receive temporary AWS credentials. When you present proof of authentication to an identity pool in the form of the trusted claims from a SAML 2.0, OpenID Connect (OIDC), or OAuth 2.0 social identity provider (IdP), you associate your user with an identity in the identity pool. The token that your identity pool creates for the identity can retrieve temporary session credentials from AWS Security Token Service (AWS STS).

To complement authenticated identities, you can also configure an identity pool to authorize AWS access without IdP authentication. You can offer custom proof of authentication with [Developer-authenticated identities](developer-authenticated-identities.md). You can also grant temporary AWS credentials to guest users, with [unauthenticated identities](identity-pools.md#authenticated-and-unauthenticated-identities).

With identity pools, you have two ways to integrate with IAM policies in your AWS account. You can use these two features together or individually.

**Role-based access control**  
When your user passes claims to your identity pool, Amazon Cognito chooses the IAM role that it requests. To customize the role’s permissions to your needs, you apply IAM policies to each role. For example, if your user demonstrates that they are in the marketing department, they receive credentials for a role with policies tailored to marketing department access needs. Amazon Cognito can request a default role, a role based on rules that query your user’s claims, or a role based on your user’s group membership in a user pool. You can also configure the role trust policy so that IAM trusts only your identity pool to generate temporary sessions.

**Attributes for access control**  
Your identity pool reads attributes from your user’s claims, and maps them to principal tags in your user’s temporary session. You can then configure your IAM resource-based policies to allow or deny access to resources based on IAM principals that carry the session tags from your identity pool. For example, if your user demonstrates that they are in the marketing department, AWS STS tags their session `Department: marketing`. Your Amazon S3 bucket permits read operations based on an [aws:PrincipalTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) condition that requires a value of `marketing` for the `Department` tag.


| 
| 
| Feature | Description | 
| --- |--- |
| Amazon Cognito user pool relying party | Exchange an ID token from your user pool for web identity credentials from AWS STS | 
| SAML 2.0 service provider | Exchange SAML assertions for web identity credentials from AWS STS | 
| OIDC relying party | Exchange OIDC tokens for web identity credentials from AWS STS | 
| Social provider relying party | Exchange OAuth tokens from Amazon, Facebook, Google, Apple, and Twitter for web identity credentials from AWS STS | 
| Custom relying party | With AWS credentials, exchange claims in any format for web identity credentials from AWS STS | 
| Unauthenticated access | Issue limited-access web identity credentials from AWS STS without authentication | 
| Role-based access control | Choose an IAM role for your authenticated user based on their claims, and configure your roles to only be assumed in the context of your identity pool | 
| Attribute-based access control | Convert claims into principal tags for your AWS STS temporary session, and use IAM policies to filter resource access based on principal tags | 

For more information about identity pools, see [Getting started with Amazon Cognito identity pools](getting-started-with-identity-pools.md) and the [Amazon Cognito identity pools API reference](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/).



## Amazon Cognito user pools and identity pools comparison



| 
| 
| Feature | Description | User pools | Identity pools | 
| --- |--- |--- |--- |
| OIDC identity provider | Issue OIDC ID tokens to authenticate app users | ✓ |  | 
| User directory | Store user profiles for authentication | ✓ |  | 
| Authorize API access | Issue access tokens to authorize user access to APIs (including user profile self-service API operations), databases, and other resources that accept OAuth scopes | ✓ |  | 
| IAM web identity authorization | Generate tokens that you can exchange with AWS STS for temporary AWS credentials |  | ✓ | 
| SAML 2.0 service provider & OIDC identity provider | Issue customized OIDC tokens based on claims from a SAML 2.0 identity provider | ✓ |  | 
| OIDC relying party & OIDC identity provider | Issue customized OIDC tokens based on claims from an OIDC identity provider | ✓ |  | 
| OAuth 2.0 relying party & OIDC identity provider | Issue customized OIDC tokens based on scopes from OAuth 2.0 social providers like Apple and Google | ✓ |  | 
| SAML 2.0 service provider & credentials broker | Issue temporary AWS credentials based on claims from a SAML 2.0 identity provider |  | ✓ | 
| OIDC relying party & credentials broker | Issue temporary AWS credentials based on claims from an OIDC identity provider |  | ✓ | 
| Social provider relying party & credentials broker | Issue temporary AWS credentials based on JSON web tokens from developer applications with social providers like Apple and Google |  | ✓ | 
| Amazon Cognito user pool relying party & credentials broker | Issue temporary AWS credentials based on JSON web tokens from Amazon Cognito user pools |  | ✓ | 
| Custom relying party & credentials broker | Issue temporary AWS credentials to arbitrary identities, authorized by developer IAM credentials |  | ✓ | 
| Authentication frontend service | Sign up, manage, and authenticate users with managed login | ✓ |  | 
| API support for your own authentication UI | Create, manage and authenticate users through API requests in supported AWS SDKs¹ | ✓ |  | 
| MFA | Use SMS messages, TOTPs, or your user's device as an additional authentication factor¹ | ✓ |  | 
| Security monitoring & response | Protect against malicious activity and insecure passwords¹ | ✓ |  | 
| Customize authentication flows | Build your own authentication mechanism, or add custom steps to existing flows¹ | ✓ |  | 
| User groups | Create logical groupings of users, and a hierarchy of IAM role claims when you pass tokens to identity pools | ✓ |  | 
| Customize tokens | Customize your ID and access tokens with new, modified, and suppressed claims and scopes | ✓ |  | 
| AWS WAF web ACLs | Monitor and control requests to your authentication front end with AWS WAF | ✓ |  | 
| Customize user attributes | Assign values to user attributes and add your own custom attributes | ✓ |  | 
| Unauthenticated access | Issue limited-access web identity credentials from AWS STS without authentication |  | ✓ | 
| Role-based access control | Choose an IAM role for your authenticated user based on their claims, and configure your role trust to limit access to web identity users |  | ✓ | 
| Attribute-based access control | Transform user claims into principal tags for your AWS STS temporary session, and use IAM policies to filter resource access based on principal tags |  | ✓ | 

¹ Feature is not available to federated users.

## Getting started with Amazon Cognito


For example user pool applications, see [Getting started with user pools](getting-started-user-pools.md).

For an introduction to identity pools, see [Getting started with Amazon Cognito identity pools](getting-started-with-identity-pools.md).

For links to guided setup experiences with user pools and identity pools, see [Guided setup options for Amazon Cognito](cognito-guided-setup.md).

To get started with an AWS SDK, see [AWS Developer Tools](https://aws.amazon.com/products/developer-tools). For developer resources specific to Amazon Cognito, see [Amazon Cognito developer resources](https://aws.amazon.com/cognito/dev-resources/).

To use Amazon Cognito, you need an AWS account. For more information, see [Getting started with AWS](cognito-getting-started-account-iam.md).

## Regional availability


Amazon Cognito is available in multiple AWS Regions worldwide. In each Region, Amazon Cognito is distributed across multiple Availability Zones. These Availability Zones are physically isolated from each other, but are united by private, low-latency, high-throughput, and highly redundant network connections. These Availability Zones enable AWS to provide services, including Amazon Cognito, with very high levels of availability and redundancy, while also minimizing latency.

To see if Amazon Cognito is currently available in any AWS Region, see [AWS Services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

To learn about regional API service endpoints, see [AWS regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html##cognito_identity_region) in the *Amazon Web Services General Reference*.

To learn more about the number of Availability Zones that are available in each Region, see [AWS global infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).

## Pricing for Amazon Cognito


For information about Amazon Cognito pricing, see [Amazon Cognito pricing](https://aws.amazon.com/cognito/pricing/).

# Common Amazon Cognito terms and concepts
Terms and concepts

Amazon Cognito provides credentials for web and mobile apps. It draws from and builds on terms that are common in *identity and access management*. Many guides to universal identity and access terms are available. Some examples are:
+ [Terminology](https://bok.idpro.org/article/id/41/) in the IDPro Body of Knowledge
+ [AWS Identity Services](https://aws.amazon.com/identity/)
+ [Glossary](https://csrc.nist.gov/glossary) from NIST CSRC

The following lists describe terms that are unique to Amazon Cognito or have a specific context in Amazon Cognito.

**Topics**
+ [

## General
](#cognito-terms-general)
+ [

## User pools
](#cognito-terms-user-pools)
+ [

## Identity pools
](#cognito-terms-identity-pools)

## General


The terms in this list aren't specific to Amazon Cognito and are widely recognized among identity and access management practitioners. The following isn't an exhaustive list of terms, but a guide to their specific Amazon Cognito context in this guide.

**Access token**  <a name="terms-accesstoken"></a>
A JSON web token (JWT) that contains information about an entity's [authorization](#terms-authorization) to access information systems.

**App, application**  
Typically, a mobile application. In this guide, *app* is often a shorthand for a web application or mobile app that connects to Amazon Cognito.

**Attribute-based access control (ABAC)**  <a name="terms-abac"></a>
A model where an app determines access to resources based on the properties of a user, like their job title or department. Amazon Cognito tools to enforce ABAC include ID tokens in user pools and [principal tags](#term-afac) in identity pools.

**Authentication**  <a name="terms-authentication"></a>
The process of establishing an authentic identity for the purpose of access to an information system. Amazon Cognito accepts proof of authentication from third-party identity providers, and also serves as a provider of authentication to software applications.

**Authorization**  <a name="terms-authorization"></a>
The process of granting permissions to a resource. User pool [access tokens](#terms-accesstoken) contain information that applications can use to permit users and systems to access resources.

**Authorization server**  <a name="term-authzserver"></a>
An OAuth or OpenID Connect (OIDC) system that generates [JSON web tokens](#terms-jwt). The Amazon Cognito user pools [managed authorization server](#terms-managedauthorizationserver) is the authorization-server component of the two authentication and authorization methods in user pools. User pools also support API challenge-response flows in [SDK authentication](#terms-upapi).

**Confidential app, server-side app**  
An application that users connect to remotely, with code on an application server and access to secrets. This is typically a web application.

**Identity provider (IdP)**  <a name="terms-idp"></a>
A service that stores and verifies user identities. Amazon Cognito can request authentication from [external providers](#terms-externalprovider) and be an IdP to apps.

**JSON web token (JWT)**  <a name="terms-jwt"></a>
A JSON-formatted document that contains claims about an authenticated user. ID tokens authenticate users, access tokens authorize users, and refresh tokens update credentials. Amazon Cognito receives tokens from [external providers](#terms-externalprovider) and issues tokens to apps or AWS STS.

**Machine-to-machine (M2M) authorization**  <a name="terms-m2m"></a>
The process of authorizing requests to API endpoints for non-user-interactive machine entities, like a webserver application tier. User pools serve M2M authorization in client-credentials grants with OAuth 2.0 scopes in [access tokens](#terms-accesstoken).

**Multi-factor authentication (MFA)**  <a name="terms-mfa"></a>
The requirement that users provide additional authentication after providing their username and password. Amazon Cognito user pools have MFA features for [local users](#terms-localuser).

**OAuth 2.0 (social) provider**  <a name="terms-oauth"></a>
An IdP to a user pool or identity pool that provides [JWT](#terms-jwt) access and refresh tokens. Amazon Cognito user pools automate interactions with social providers after users authenticate.

**OpenID Connect (OIDC) provider**  
An IdP to a user pool or identity pool that extends the [OAuth](#terms-oauth) specification to provide ID tokens. Amazon Cognito user pools automate interactions with OIDC providers after users authenticate.

**Passkey, WebAuthn**  
A form of authentication where cryptographic keys, or passkeys, on a user's device provides their proof of authentication. Users verify that they are present with biometric or PIN code mechanisms in a hardware or software authenticator. Passkeys are phishing-resistent and bound to specific websites/apps, offering a secure passwordless experience. Amazon Cognito user pools support sign-in with passkeys.

**Passwordless**  
A form of authentication where a user doesn't have to enter a password. Methods of passwordless sign-in include one-time passwords (OTPs) sent to email addresses and phone numbers, and passkeys. Amazon Cognito user pools support sign-in with OTPs and passkeys.

**Public app**  
An application that is self-contained on a device, with code stored locally and no access to secrets. This is typically a mobile app.

**Resource server**  
An API with access control. Amazon Cognito user pools also use *resource server* to describe the component that defines the configuration for interacting with an API.

**Role-based access control (RBAC)**  
A model that grants access based on a user's functional designation. Amazon Cognito identity pools implement RBAC with differentiation between IAM roles.

**Service provider (SP), relying party (RP)**  <a name="terms-relyingparty"></a>
An application that relies on an IdP to assert that users are trustworthy. Amazon Cognito acts as an SP to external IdPs, and as an IdP to app-based SPs.

**SAML provider**  
An IdP to a user pool or identity pool that generates digitally signed assertion documents that your user passes to Amazon Cognito.

**Universally Unique Identifier (UUID)**  <a name="terms-uuid"></a>
A 128-bit label that is applied to an object. Amazon Cognito UUIDs are unique per user pool or identity pool, but don't conform to a specific UUID format.

**User directory**  <a name="terms-userdirectory"></a>
A collection of users and their attributes that serves that information to other systems. Amazon Cognito user pools are user directories, and also tools for consolidation of users from external user directories.

## User pools


When you see the terms in the following list in this guide, they refer to a specific feature or configuration of user pools.

**Adaptive authentication**  <a name="terms-adaptiveauthentication"></a>
A feature of [advanced security](#term-advancedsecurity) that detects potential malicious activity and applies additional security to [user profiles](#terms-userprofile).

**App client**  <a name="term-appclient"></a>
A component that defines the settings for a user pool as an IdP to one app.

**Callback URL, redirect URI, return URL**  <a name="term-callbackurl"></a>
A setting in an [app client](#term-appclient) and a parameter in requests to the user pool's [ authorization server](#terms-managedauthorizationserver). The callback URL is the initial destination for authenticated users in your [app](#term-app).

**Choice-based authentication**  <a name="terms-choicebasedauthentication"></a>
A form of API authentication with users pools where each user has a set of choices for sign-in available to them. Their choices might include username and password with or without MFA, passkey sign-in, or passwordless sign-in with email or SMS message one-time passwords. Your application can shape the choice process for users by requesting a list of authentication options or by declaring a preferred option.  
Compare with [client-based authentication](#terms-declarativeauthentication).

**Client-based authentication**  <a name="terms-declarativeauthentication"></a>
A form of authentication with the user pools API and application back ends built with AWS SDKs. In declarative authentication, your application determines independently the login type that a user should perform and requests that type up front.  
Compare with [choice-based authentication](#terms-choicebasedauthentication).

**Compromised credentials**  
A feature of [advanced security](#term-advancedsecurity) that detects user passwords that attackers might know, and applies additional security to [user profiles](#terms-userprofile).

**Confirmation**  <a name="terms-confirmation"></a>
The process that determines that the prerequisites have been met to permit a new user to sign in. Confirmation is typically done through email address or phone number [verification](#terms-verification).

**Custom authentication**  
An extension of authentication processes with [Lambda triggers](#terms-triggers) that define additional user challenges and responses.

**Device authentication**  
An authentication process that replaces [MFA](#terms-mfa) with sign-in that uses the ID of a trusted device.

**Domain, user pool domain**  <a name="terms-domain"></a>
A web domain that hosts your [managed login pages](#terms-managedlogin) in AWS. You can set up DNS in a domain that you own or use an identifying subdomain prefix in a domain that AWS owns.

**Essentials plan**  <a name="terms-essentialsplan"></a>
The [feature plan](#terms-featureplan) with the latest developments in user pools. The Essentials plan doesn't include the automated-learning security features in the [Plus plan](#terms-plusplan).

**External provider, third-party provider**  <a name="terms-externalprovider"></a>
An IdP that has a trust relationship with a user pool. User pools serve as an intermediate entity between external providers and your application, managing authentication processes with SAML 2.0, OIDC, and social providers. User pools consolidate external-provider authentication outcomes into a single IdP so that your applications can process many users with a single OIDC relying-party library.

**Feature plan**  <a name="terms-featureplan"></a>
The group of features that you can select for a user pool. Feature plans have differing costs in your AWS bill. New user pools default to the [Essentials plan](#terms-essentialsplan).  

**Current plans**
+ [Lite plan](#terms-liteplan)
+ [Essentials plan](#terms-essentialsplan)
+ [Plus plan](#terms-plusplan)

**Federated user, external user**  <a name="terms-federateduser"></a>
A user in a user pool who was authenticated by an [external provider](#terms-externalprovider).

**Hosted UI (classic), hosted UI pages**  <a name="terms-hostedui"></a>
The early version of the authentication front end, relying party, and identity provider services on your user pool domain. The hosted UI has a basic set of features and a simplified look and feel. You can apply Hosted UI branding with the upload of a logo-image file and a file with a predetermined set of CSS styles. Compare to [managed login](#terms-managedlogin).

**Lambda trigger**  <a name="terms-triggers"></a>
A function in AWS Lambda that a user pool can automatically invoke at key points in user authentication processes. You can use Lambda triggers to customize authentication outcomes.

**Local user**  <a name="terms-localuser"></a>
A [user profile](#terms-userprofile) in the user pool [user directory](#terms-userdirectory) that wasn't created by authentication with an [external provider](#terms-externalprovider).

**Linked user**  <a name="terms-linkeduser"></a>
A user from an [external provider](#terms-externalprovider) whose identity is merged with a [local user](#terms-localuser).

**Lite plan**  <a name="terms-liteplan"></a>
The [feature plan](#terms-featureplan) with the features that originally launched with user pools. The Lite plan doesn't include the new features in the [Essentials plan](#terms-essentialsplan) or the automated-learning security features in the [Plus plan](#terms-plusplan).

**Managed authorization server, hosted UI authorization server, authorization server**  <a name="terms-managedauthorizationserver"></a>
A component of [managed login](#terms-managedlogin) that hosts services for interaction with IdPs and apps on your [user pool domain](#terms-domain). The [hosted UI](#terms-hostedui) differs from managed login in the user-interactive features it offers, but has the same authorization-server capabilities.

**Managed login, managed login pages**  <a name="terms-managedlogin"></a>
A set of webpages on your [user pool domain](#terms-domain) that host services for user authentication. These services include functions for operating as an [IdP](#terms-idp), a [relying party](#terms-relyingparty) for third-party IdPs, and a server of a user-interactive authentication UI. When you set up a domain for your user pool, Amazon Cognito brings all managed login pages online.  
Your application import OIDC libraries that invoke users' browsers and direct them to the managed login UI for sign-up, sign-in, password management, and other authentication operations. After authentication, the OIDC libraries can process the outcome of the authentication request.

**Managed login authentication**  <a name="terms-managedloginauthentication"></a>
Sign-in with the services on your [user pool domain](#terms-domain), done with user-interactive browser pages or HTTPS API requests. Applications handle managed login authentication with OpenID Connect (OIDC) libraries. This process includes sign-in with [external providers](#terms-externalprovider), local-user sign-in with interactive managed login pages, and [M2M authorization](#terms-m2m). Authentication with the classic [hosted UI](#terms-hostedui) also fall under this term.  
Compare to [AWS SDK authentication](#terms-upapi).

**Plus plan**  <a name="terms-plusplan"></a>
The [feature plan](#terms-featureplan) with the latest developments and advanced security features in user pools.

**SDK authentication, AWS SDK authentication**  
A set of authentication and authorization API operations that you can add to your application back end with an AWS SDK. This authentication model requires your own custom-built login mechanism. The API can sign in [local users](#terms-localuser) and [linked users](#terms-linkeduser).  
Compare to [managed login authentication](#terms-managedloginauthentication).

**Threat protection, advanced security features**  <a name="term-advancedsecurity"></a>
In user pools, threat protection refers to technologies that are designed to mitigate threats to your authentication and authorization mechanisms. Adaptive authentication, compromised-credentials detection, and IP address blocklists are under the category of threat protection.

**Token customization**  
The outcome of a pre token generation [Lambda trigger](#terms-triggers) that modifies a user's ID or access token at runtime.

**User pool, Amazon Cognito identity provider, `cognito-idp`, Amazon Cognito user pools**  
An AWS resource with authentication and authorization services for applications that work with OIDC IdPs.

**Verification**  <a name="terms-verification"></a>
The process of confirming that a user owns an email address or phone number. A user pool sends a code to a user who has entered a new email address or phone number. When they submit the code to Amazon Cognito, they verify their ownership of the message destination and can receive additional messages from the user pool. Also, see [confirmation](#terms-confirmation).

**User profile, user account**  <a name="terms-userprofile"></a>
An entry for a user in the [user directory](#terms-userdirectory). All users, including those from third-party IdPs, have a profile in their user pool.

## Identity pools


When you see the terms in the following list in this guide, they refer to a specific feature or configuration of identity pools.

**Attributes for access control**  <a name="term-afac"></a>
An implementation of [attribute-based access control](#terms-abac) in identity pools. Identity pools apply user attributes as tags to user credentials.

**Basic (classic) authentication**  
An authentication process where you can customize the request for [user credentials](#terms-usercredentials).

**Developer authenticated identities**  
An authentication process that authorizes identity pool [user credentials](#terms-usercredentials) with [developer credentials](#terms-developercredentials).

**Developer credentials**  <a name="terms-developercredentials"></a>
The IAM API keys of an identity pool administrator.

**Enhanced authentication**  
An authentication flow that selects an IAM role and applies principal tags according to the logic that you define in your identity pool.

**Identity**  
A [UUID](#terms-uuid) that links an app user and their [user credentials](#terms-usercredentials) to their profile in an external [user directory](#terms-userdirectory) that has a trust relationship with an identity pool.

**Identity pool, Amazon Cognito federated identities, Amazon Cognito identity, `cognito-identity`**  
An AWS resource with authentication and authorization services for applications that use [temporary AWS credentials](#terms-usercredentials).

**Unauthenticated identity**  
A user who has not signed in with an identity pool IdP. You can permit users to generate limited user credentials for a single IAM role before they authentication.

**User credentials**  <a name="terms-usercredentials"></a>
Temporary AWS API keys that users receive after identity pool authentication.

# Getting started with AWS


Before you start working with Amazon Cognito, set yourself up with some required AWS resources. If you can already sign in to an AWS account, you can skip this section. Continue reading if you are looking for information about signing up and signing in with AWS credentials. After you have credentials with sufficient AWS Identity and Access Management (IAM) permissions, you can get started with [user pools](getting-started-user-pools.md) and [identity pools](getting-started-with-identity-pools.md).

## Sign up for an AWS account


If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access


After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.