# Amazon Cognito

Amazon Cognito is a **fully managed authentication and authorization service** that provides:\
✔ **User authentication** – Sign-up, sign-in, and multi-factor authentication (MFA).\
✔ **Authorization & access control** – Assigns **IAM roles** dynamically to users.\
✔ **Federated Identity Management** – Supports **SSO with external providers** (Google, Facebook, Okta, etc.).\
✔ **Secure token handling** – Issues **JWT, OAuth, and OpenID Connect (OIDC) tokens**.

***

### **🔹 Key Components of Amazon Cognito**

| **Component**                | **Purpose**                                                                       |
| ---------------------------- | --------------------------------------------------------------------------------- |
| **User Pools**               | Manages user authentication (Sign-up, Sign-in, MFA).                              |
| **Identity Pools**           | Grants AWS resource access based on user identity.                                |
| **Federated Authentication** | Allows users to log in via Google, Facebook, SAML, or OpenID.                     |
| **Security & Compliance**    | Supports **MFA, password policies, encryption, and compliance** (HIPAA, PCI DSS). |

***

### **🔹 SecureCart Use Case: Implementing Cognito for Customer Authentication**

SecureCart, an **e-commerce platform**, wants to **simplify authentication** while ensuring **security and scalability**.

**✅ SecureCart’s Requirements:**\
✔ Customers can **sign up and log in** using email/password or **social logins (Google, Facebook)**.\
✔ Implement **MFA (Multi-Factor Authentication)** for sensitive actions (checkout, profile updates).\
✔ Use **Amazon Cognito User Pools** for authentication.\
✔ SecureCart's backend APIs must only be **accessible to authenticated users**.\
✔ Use **Amazon Cognito Identity Pools** to grant temporary AWS resource access.

***

### **🔹 Step-by-Step Implementation for SecureCart**

#### **1️⃣ Create a Cognito User Pool for Customer Authentication**

✅ **Steps**:

1. Navigate to **Amazon Cognito** → **Create User Pool**.
2. Set up **User Attributes** (Email, Phone, Name, etc.).
3. Enable **Self-Service Sign-Up** and enforce **password policies**.
4. Configure **MFA & Account Recovery**.
5. Enable **OAuth 2.0 Authorization** for third-party logins.
6. Create an **App Client** for **SecureCart’s frontend**.

**🔹 Why User Pools?**\
✔ Manages **authentication** securely.\
✔ Provides **MFA, password resets, and account recovery**.\
✔ Supports **JWT tokens for API access**.

***

#### **2️⃣ Enable Social Logins & Third-Party Authentication (Optional)**

SecureCart allows **customers to log in via Google and Facebook**.

✅ **Steps**:

1. Go to **Cognito User Pool** → **Identity Providers**.
2. Configure **Google & Facebook OAuth Credentials**.
3. Map **social login attributes (name, email, etc.)**.
4. Update the **App Client Settings** to support **federated logins**.

**🔹 Why Use Federated Authentication?**\
✔ **Increases conversion rates** (easier login).\
✔ Reduces **password management burden**.

***

#### **3️⃣ Configure Identity Pool for AWS Resource Access**

SecureCart uses **Amazon Cognito Identity Pools** to grant **temporary access to AWS resources**.

✅ **Steps**:

1. Navigate to **Amazon Cognito** → **Create Identity Pool**.
2. Enable **User Pool Authentication** (Link User Pool).
3. Define **IAM Roles** for **authenticated vs. unauthenticated users**.
4. Attach IAM Policies to restrict **S3, API Gateway, or DynamoDB** access.

**🔹 Use Case**:\
✔ **Authenticated users** can **access SecureCart APIs** and retrieve **order history**.\
✔ **Unauthenticated users** can **browse product catalogs**, but not place orders.

***

#### **4️⃣ Secure SecureCart API Gateway with Cognito Authorizer**

SecureCart’s **backend APIs** must be **accessible only to authenticated users**.

✅ **Steps**:

1. Navigate to **Amazon API Gateway** → **Create a new Authorizer**.
2. Select **Cognito User Pool** as the authentication source.
3. Attach the Cognito Authorizer to SecureCart’s API methods (`GET /orders`).
4. Validate the JWT token on API requests.

**🔹 Why Use Cognito with API Gateway?**\
✔ **Blocks unauthorized access** to SecureCart’s APIs.\
✔ Uses **JWT tokens** for secure API authentication.\
✔ **No need for custom authentication logic**.

***

#### **5️⃣ Enforce Multi-Factor Authentication (MFA) for High-Risk Actions**

SecureCart requires **MFA when updating payment details**.

✅ **Steps**:

1. Go to **Cognito User Pool** → **MFA & Advanced Security**.
2. Select **SMS-based MFA** or **TOTP (Google Authenticator)**.
3. Set MFA as **Required or Optional** based on user risk level.

**🔹 Why MFA?**\
✔ Prevents **unauthorized transactions**.\
✔ Meets **PCI DSS compliance**.

***

### **🔹 Summary**

✔ **Amazon Cognito User Pools** → Handles **sign-up, login, social authentication**.\
✔ **Amazon Cognito Identity Pools** → Grants **temporary AWS resource access**.\
✔ **API Gateway Cognito Authorizer** → Secures SecureCart’s backend **APIs**.\
✔ **MFA & Security Best Practices** → Protects **customer accounts** from breaches.