Amazon Cognito is a managed service that allows you to quickly add users for your mobile and web applications by providing in-built sign-in screens and authentication functionality. It handles security, authorization, and synchronization for your user management process across devices for all your users. You can use Cognito for authenticating your users through external identity providers including social identity providers, such as Facebook, Google, Twitter, LinkedIn, and so on. Cognito can also be used to authenticate identities for any solution that is compatible with SAML 2.0 standard. You can provide temporary security credentials with limited privileges to these authenticated users to securely access your AWS resources. The following figure illustrates three basic functionalities of Amazon Cognito: user management, authentication, and synchronization:

Figure 5: AWS Cognito overview

This service is primarily designed for developers to use in their web and mobile apps. It enables developers to allow users to securely access the app's resources. You begin by creating and configuring a user pool, a user directory for your apps, in Amazon Cognito either through AWS Management Console, AWS CLI, or through AWS SDK. Once you have created user pool, you can download, install, and integrate AWS Mobile SDK with your app, whether on iOS or Android. You also have an option to call APIs directly for Cognito if you do not wish to use SDK, as it exposes all control and data APIs as web services for you to consume them through your own client library.

Amazon Cognito integrates with CloudTrail and CloudWatch so you can monitor Cognito metrics and log API activities in real time and take the required action for any suspicious activity or security threat.