Nacho
Amazon Cognito IAM Provider
AWS-native CIAM with three feature tiers (Lite/Essentials/Plus). Offers the lowest per-MAU cost at scale and deep AWS ecosystem integration via Lambda triggers.
Features
- 🇺🇸US🇪🇺EU🇦🇵AP🇨🇦CA🇸🇦SA🇲🇪ME🇦🇫AF
- AWS
If you want to compare IAM features of different providers, please check out the (C)IAM Identity Providers benchmark.
Looking for Amazon Cognito’s OpenID Connect protocol compatibility? View Amazon Cognito on the OpenID Connect Providers benchmark.
Frequently Asked Questions
Does Amazon Cognito support Username and Password authentication method?
Amazon Cognito supports Username and Password authentication method. Read more
Does Amazon Cognito support Social Sign-in authentication method?
Amazon Cognito supports Social Sign-in authentication method. Google, Facebook, Apple, Amazon, custom OIDC/SAML providers. Read more
Does Amazon Cognito support Passkey authentication method?
Amazon Cognito supports Passkey authentication method. Available on Essentials and Plus tiers. Read more
Does Amazon Cognito support Email Passwordless authentication method?
Amazon Cognito supports Email Passwordless authentication method. Email OTP available on Essentials tier and above. Read more
Does Amazon Cognito support Phone Passwordless authentication method?
Amazon Cognito supports Phone Passwordless authentication method. Phone OTP (SMS) available on Essentials tier and above. Read more
Does Amazon Cognito support Magic Link authentication method?
Amazon Cognito does not support Magic Link authentication method. Magic link authentication is not natively supported by Amazon Cognito.
Does Amazon Cognito support Anonymous / Guest authentication method?
Amazon Cognito supports Anonymous / Guest authentication method. Supported via Amazon Cognito Identity Pools (Federated Identities) for unauthenticated guest access. Read more
Does Amazon Cognito support Time-based One-Time Password (TOTP) MFA?
Amazon Cognito supports Time-based One-Time Password (TOTP) MFA. TOTP MFA available on Essentials and Plus tiers. Read more
Does Amazon Cognito support HMAC-based One-Time Password (HOTP) MFA?
Amazon Cognito does not support HMAC-based One-Time Password (HOTP) MFA. Not natively supported. Requires custom authentication flow via Lambda triggers.
Does Amazon Cognito support Universal 2nd Factor (U2F) MFA?
Amazon Cognito partially supports Universal 2nd Factor (U2F) MFA. Not natively supported as U2F. Modern hardware keys (YubiKeys) are supported via native WebAuthn/Passkey support. Read more
Does Amazon Cognito support WebAuthn MFA?
Amazon Cognito supports WebAuthn MFA. WebAuthn MFA available via passkeys on Essentials tier and above. Read more
Does Amazon Cognito support Email Code MFA?
Amazon Cognito supports Email Code MFA. Email OTP MFA available on Essentials and Plus tiers. Read more
Does Amazon Cognito support Phone Code MFA?
Amazon Cognito supports Phone Code MFA. SMS OTP MFA available on Essentials and Plus tiers. Read more
Does Amazon Cognito support Recovery Code MFA?
Amazon Cognito does not support Recovery Code MFA. Static backup codes not supported. MFA recovery requires admin reset or custom implementation.
Does Amazon Cognito support Push Notification MFA?
Amazon Cognito does not support Push Notification MFA. Not natively supported. Requires custom implementation via SNS/Lambda.
Does Amazon Cognito support Adaptive / Risk-Based MFA MFA?
Amazon Cognito supports Adaptive / Risk-Based MFA MFA. Adaptive authentication with risk-based MFA on Plus tier. Read more
Does Amazon Cognito support Cisco Duo MFA?
Amazon Cognito does not support Cisco Duo MFA. Not natively supported. Requires custom integration via Lambda triggers.
Does Amazon Cognito support Step-Up Authentication MFA?
Amazon Cognito supports Step-Up Authentication MFA. Supported via custom authentication flows using Lambda triggers (Pre-token generation or custom auth challenges). Read more
Does Amazon Cognito support OpenID Connect (OIDC) integration protocol?
Amazon Cognito supports OpenID Connect (OIDC) integration protocol. Read more
Does Amazon Cognito support SAML 2.0 integration protocol?
Amazon Cognito supports SAML 2.0 integration protocol. Read more
Does Amazon Cognito support WS-Federation integration protocol?
Amazon Cognito does not support WS-Federation integration protocol.
Does Amazon Cognito support Machine-to-Machine (M2M) Authentication integration protocol?
Amazon Cognito supports Machine-to-Machine (M2M) Authentication integration protocol. OAuth 2.0 client credentials grant for M2M authentication. M2M app-client fee was removed in November 2025. Read more
Does Amazon Cognito support OpenID Connect (OIDC) Federation identity federation?
Amazon Cognito supports OpenID Connect (OIDC) Federation identity federation. Configure OIDC identity providers per user pool. Read more
Does Amazon Cognito support SAML 2.0 Federation identity federation?
Amazon Cognito supports SAML 2.0 Federation identity federation. Configure SAML identity providers per user pool. Read more
Does Amazon Cognito support Active Directory / LDAP identity federation?
Amazon Cognito partially supports Active Directory / LDAP identity federation. Active Directory/LDAP integration via SAML or OIDC federation only. No native LDAP connector. Read more
Does Amazon Cognito support Azure Active Directory (Entra ID) identity federation?
Amazon Cognito supports Azure Active Directory (Entra ID) identity federation. Microsoft Entra ID (Azure AD) integration via SAML or OIDC federation. Read more
Does Amazon Cognito support Bulk User Import user management?
Amazon Cognito supports Bulk User Import user management. Read more
Does Amazon Cognito support Password Hash Import (Multiple Formats) user management?
Amazon Cognito supports Password Hash Import (Multiple Formats) user management. Password hash import supported via the import job API. Read more
Does Amazon Cognito support Bulk User Export user management?
Amazon Cognito supports Bulk User Export user management. Export users via ListUsers API with pagination. Read more
Does Amazon Cognito support Bulk User Update / Delete user management?
Amazon Cognito does not support Bulk User Update / Delete user management. No native bulk update or delete API. Operations must be performed per-user via AdminUpdateUserAttributes or AdminDeleteUser. Read more
Does Amazon Cognito support Upsert on Import user management?
Amazon Cognito does not support Upsert on Import user management. CSV import only creates new users; existing users are skipped with a [SKIPPED] status. Upsert is not supported. Read more
Does Amazon Cognito support Legacy Username Import (Non-Allowed Characters) user management?
Amazon Cognito does not support Legacy Username Import (Non-Allowed Characters) user management. Cognito enforces username constraints (max 128 chars, ASCII). Legacy usernames with arbitrary special characters cannot be directly imported. Read more
Does Amazon Cognito support MFA Enrollment Import user management?
Amazon Cognito does not support MFA Enrollment Import user management. CSV import can flag MFA as enabled but cannot import existing TOTP secrets or SMS enrollments. Users must re-enroll MFA after import. Read more
Does Amazon Cognito support Inbound SCIM Provisioning user management?
Amazon Cognito does not support Inbound SCIM Provisioning user management. Amazon Cognito User Pools do not support the SCIM protocol. SCIM is only available in AWS IAM Identity Center, which is a separate service. Read more
Does Amazon Cognito support Outbound SCIM Provisioning user management?
Amazon Cognito does not support Outbound SCIM Provisioning user management. Amazon Cognito User Pools do not support outbound SCIM provisioning. Read more
Does Amazon Cognito support SCIM Groups Provisioning user management?
Amazon Cognito does not support SCIM Groups Provisioning user management. Amazon Cognito User Pools do not support SCIM groups provisioning. Read more
Does Amazon Cognito support Just-In-Time (JIT) User Provisioning user management?
Amazon Cognito supports Just-In-Time (JIT) User Provisioning user management. Just-in-time provisioning supported via SAML/OIDC federation. Amazon Cognito creates a user profile on first federated sign-in by mapping IdP attributes. Read more
Does Amazon Cognito support Lazy / Trickle Migration from Legacy Database user management?
Amazon Cognito supports Lazy / Trickle Migration from Legacy Database user management. Zero-downtime user migration via Lambda user migration trigger. Read more
Does Amazon Cognito support Self-Service Profile Management Portal user management?
Amazon Cognito does not support Self-Service Profile Management Portal user management. Managed Login does not support user self-service profile management such as attribute changes or MFA preference. Custom UI using Cognito APIs is required. Read more
Does Amazon Cognito support User Account Linking user management?
Amazon Cognito supports User Account Linking user management. Read more
Does Amazon Cognito support User Blocking / Banning user management?
Amazon Cognito supports User Blocking / Banning user management. Disable user accounts to prevent authentication via AdminDisableUser API. Read more
Does Amazon Cognito support User Metadata user management?
Amazon Cognito supports User Metadata user management. Custom user attributes stored in the user pool. Up to 50 custom attributes, max 2048 characters each. Read more
Does Amazon Cognito support Application Metadata user management?
Amazon Cognito supports Application Metadata user management. Custom attributes can be marked as write-protected for end users, functioning as app-managed metadata. Read more
Does Amazon Cognito support Metadata Size Limits user management?
Amazon Cognito supports Metadata Size Limits user management. Custom attribute values are limited to 2048 characters. A maximum of 50 custom attributes can be added per user pool. Read more
Does Amazon Cognito support User Search user management?
Amazon Cognito supports User Search user management. Read more
Does Amazon Cognito support Role-Based Access Control (RBAC) user management?
Amazon Cognito partially supports Role-Based Access Control (RBAC) user management. Group-based access control. No fine-grained RBAC UI. Full RBAC requires Amazon Verified Permissions. Read more
Does Amazon Cognito support Organizations (Multi-Tenancy B2B) user management?
Amazon Cognito partially supports Organizations (Multi-Tenancy B2B) user management. Multi-tenancy via separate user pools per tenant. No native B2B organization model.
Does Amazon Cognito support Password Strength Policies user management?
Amazon Cognito supports Password Strength Policies user management. Read more
Does Amazon Cognito support Username Restrictions user management?
Amazon Cognito supports Username Restrictions user management. Usernames are limited to 128 characters. Case sensitivity is configurable. Aliases (email, phone) can substitute for username at sign-in. Read more
Does Amazon Cognito support Progressive Profiling / Forms user management?
Amazon Cognito does not support Progressive Profiling / Forms user management.
Does Amazon Cognito support Attribute-Based Access Control (ABAC) access control?
Amazon Cognito supports Attribute-Based Access Control (ABAC) access control. Attribute-based access control via Amazon Verified Permissions (Cedar policy language). Read more
Does Amazon Cognito support Fine-Grained Authorization (FGA / ReBAC) access control?
Amazon Cognito supports Fine-Grained Authorization (FGA / ReBAC) access control. Fine-grained authorization via Amazon Verified Permissions using Cedar-based policies. Read more
Does Amazon Cognito support API Authorization (Scopes / Permissions) access control?
Amazon Cognito supports API Authorization (Scopes / Permissions) access control. Read more
Does Amazon Cognito support Audit Log Retention security feature?
Amazon Cognito supports Audit Log Retention security feature. CloudTrail logging for all Cognito API calls. Read more
Does Amazon Cognito support Audit Log Streaming security feature?
Amazon Cognito supports Audit Log Streaming security feature. Stream logs to CloudWatch, S3, and Amazon Kinesis Firehose. Read more
Does Amazon Cognito support Security Center (Threat Monitoring Dashboard) security feature?
Amazon Cognito partially supports Security Center (Threat Monitoring Dashboard) security feature. Advanced security features available on Plus tier via the Cognito console.
Does Amazon Cognito support Encryption at Rest security feature?
Amazon Cognito supports Encryption at Rest security feature.
Does Amazon Cognito support Encryption in Transit security feature?
Amazon Cognito supports Encryption in Transit security feature.
Does Amazon Cognito support Customer Managed Keys (BYOK) security feature?
Amazon Cognito does not support Customer Managed Keys (BYOK) security feature. Amazon Cognito encrypts user pool data internally and does not support customer-provided or customer-managed KMS keys for user pool encryption. Read more
Does Amazon Cognito support Bot Detection security feature?
Amazon Cognito partially supports Bot Detection security feature. Bot detection via AWS WAF integration. Not built-in to Cognito directly. Read more
Does Amazon Cognito support Brute Force Protection security feature?
Amazon Cognito supports Brute Force Protection security feature. Read more
Does Amazon Cognito support Suspicious IP Throttling security feature?
Amazon Cognito supports Suspicious IP Throttling security feature. Available on Plus tier. Read more
Does Amazon Cognito support Breached Password Detection security feature?
Amazon Cognito supports Breached Password Detection security feature. Compromised credential detection available on Plus tier. Read more
Does Amazon Cognito support Credential Guard (Dark Web Monitoring) security feature?
Amazon Cognito does not support Credential Guard (Dark Web Monitoring) security feature. No dedicated dark web credential monitoring. Cognito's compromised credentials detection (Plus tier) checks credentials against public breach lists, which is covered under breached_password_detection.
Does Amazon Cognito support Tenant Access Control List (IP ACL) security feature?
Amazon Cognito does not support Tenant Access Control List (IP ACL) security feature. No native per-tenant IP allowlist/blocklist. IP-based access control requires AWS WAF integration with a web ACL attached to the user pool. Read more
Does Amazon Cognito support Device Fingerprinting security feature?
Amazon Cognito supports Device Fingerprinting security feature. Device tracking available on Plus tier for adaptive authentication. Read more
Does Amazon Cognito support Per-Organization Branding multi-tenancy?
Amazon Cognito partially supports Per-Organization Branding multi-tenancy. Per-app-client branding via Managed Login on Essentials tier and above.
Does Amazon Cognito support Per-Organization MFA Policy multi-tenancy?
Amazon Cognito does not support Per-Organization MFA Policy multi-tenancy.
Does Amazon Cognito support Hosted / Universal Login Page branding feature?
Amazon Cognito supports Hosted / Universal Login Page branding feature. Managed Login hosted UI with visual editor on Essentials and Plus tiers. Read more
Does Amazon Cognito support Embedded / Native Login Components branding feature?
Amazon Cognito supports Embedded / Native Login Components branding feature. Amplify UI components for embedding authentication in web and mobile apps. Read more
Does Amazon Cognito support White-Label / Full Brand Removal branding feature?
Amazon Cognito partially supports White-Label / Full Brand Removal branding feature. Custom branding available on Essentials and Plus tiers. Full white-labeling requires custom domain and Managed Login.
Does Amazon Cognito support Localization / i18n branding feature?
Amazon Cognito partially supports Localization / i18n branding feature. Hosted UI supports some localization; full i18n requires custom UI.
Does Amazon Cognito support Prebuilt UI Components (SDK) branding feature?
Amazon Cognito partially supports Prebuilt UI Components (SDK) branding feature. Amplify UI Authenticator provides React, Vue, Angular, and React Native components. Read more
Does Amazon Cognito support Login / Auth Analytics Dashboard analytics?
Amazon Cognito partially supports Login / Auth Analytics Dashboard analytics. Authentication metrics available via Amazon CloudWatch. Read more
Does Amazon Cognito support SOC 2 Type II Certification compliance?
Amazon Cognito supports SOC 2 Type II Certification compliance.
Does Amazon Cognito support ISO 27001 / 27017 / 27018 Certification compliance?
Amazon Cognito supports ISO 27001 / 27017 / 27018 Certification compliance.
Does Amazon Cognito support HIPAA Business Associate Agreement (BAA) compliance?
Amazon Cognito supports HIPAA Business Associate Agreement (BAA) compliance. Read more
Does Amazon Cognito support PCI DSS Compliance compliance?
Amazon Cognito supports PCI DSS Compliance compliance. Read more
Does Amazon Cognito support CSA STAR Certification compliance?
Amazon Cognito supports CSA STAR Certification compliance.
Does Amazon Cognito support FedRAMP Authorization compliance?
Amazon Cognito supports FedRAMP Authorization compliance. Amazon Cognito has FedRAMP authorization in select AWS GovCloud regions. Read more
Does Amazon Cognito support GDPR: Data Export (Portability) compliance?
Amazon Cognito supports GDPR: Data Export (Portability) compliance.
Does Amazon Cognito support GDPR: Right to be Forgotten (User Deletion) compliance?
Amazon Cognito supports GDPR: Right to be Forgotten (User Deletion) compliance.
Does Amazon Cognito support Consent Management compliance?
Amazon Cognito does not support Consent Management compliance.
Does Amazon Cognito support Region Deployment compliance?
Amazon Cognito supports Region Deployment compliance. Deploy in 29+ AWS regions worldwide. Read more
Does Amazon Cognito support Private Cloud Deployment compliance?
Amazon Cognito supports Private Cloud Deployment compliance. Runs natively on AWS infrastructure. Dedicated GovCloud option available.
Does Amazon Cognito support SDK Coverage developer integration?
Amazon Cognito supports SDK Coverage developer integration. Amplify SDK covers JavaScript, React, React Native, iOS, Android, Flutter. AWS SDKs for all major languages. Read more
Does Amazon Cognito support Management API developer integration?
Amazon Cognito supports Management API developer integration. Read more
Does Amazon Cognito support Authentication API Rate Limits developer integration?
Amazon Cognito supports Authentication API Rate Limits developer integration. Read more
Does Amazon Cognito support Actions / Extensibility Pipeline developer integration?
Amazon Cognito supports Actions / Extensibility Pipeline developer integration. Lambda triggers for all authentication events (Pre-signup, Post-authentication, Pre-token generation, etc.). Read more
Does Amazon Cognito support TypeScript Support in Extensibility developer integration?
Amazon Cognito supports TypeScript Support in Extensibility developer integration. AWS Lambda supports TypeScript natively.
Does Amazon Cognito support Custom Domain developer integration?
Amazon Cognito supports Custom Domain developer integration. Read more
Does Amazon Cognito support Deploy CLI (Infrastructure as Code) developer integration?
Amazon Cognito supports Deploy CLI (Infrastructure as Code) developer integration. Supported via AWS CDK, AWS CloudFormation, AWS SAM, and Amplify CLI. CDK provides L2 constructs for both User Pools and Identity Pools. Read more
Does Amazon Cognito support Terraform Provider developer integration?
Amazon Cognito supports Terraform Provider developer integration. AWS Terraform provider covers all Cognito resources. Read more
Does Amazon Cognito support Custom Database Connections developer integration?
Amazon Cognito supports Custom Database Connections developer integration. User migration Lambda trigger connects to legacy databases. Read more
Does Amazon Cognito support Native Webhook Support developer integration?
Amazon Cognito supports Native Webhook Support developer integration. Lambda triggers fire on authentication events, acting as webhooks. Read more
Does Amazon Cognito support Universal Login / Hosted Login Page Customization developer integration?
Amazon Cognito supports Universal Login / Hosted Login Page Customization developer integration. Managed Login visual editor available on Essentials and Plus tiers. Read more
Does Amazon Cognito support Custom Email Provider (SMTP) developer integration?
Amazon Cognito supports Custom Email Provider (SMTP) developer integration. Amazon SES required for production email. Custom SMTP not natively supported. Read more
Does Amazon Cognito support Email Templates developer integration?
Amazon Cognito supports Email Templates developer integration. Read more
Does Amazon Cognito support Custom OIDC Claims / Token Enrichment developer integration?
Amazon Cognito supports Custom OIDC Claims / Token Enrichment developer integration. Pre-token generation Lambda trigger allows adding custom claims to tokens. Read more
Does Amazon Cognito support No-Code Auth Flow Builder / Orchestration feature?
Amazon Cognito does not support No-Code Auth Flow Builder / Orchestration feature.
Does Amazon Cognito support Identity Verification / Document Proofing feature?
Amazon Cognito does not support Identity Verification / Document Proofing feature.
Does Amazon Cognito support Decentralized / Verifiable Credentials feature?
Amazon Cognito does not support Decentralized / Verifiable Credentials feature.
Does Amazon Cognito support Built-in Billing / Subscription Management feature?
Amazon Cognito does not support Built-in Billing / Subscription Management feature.
Does Amazon Cognito support Agentic AI / MCP Server Authentication feature?
Amazon Cognito does not support Agentic AI / MCP Server Authentication feature.
Note: The current data is based on provider documentation/experience and may not be 100% accurate. Please open an issue if you have spotted any inconsistencies.