Confused on use/ need of cognito

Question

So since parse is shutting down we are moving our website / mobile app that we've been developing to AWS. We are primarily going to use the following services: SNS, SES, Dynamo, S3, Lambda. Now I am still a bit confused on:

1. what cognito is used for? Do we really need cognito to authenticate users and use DynamoDB, S3, SNS ? Or can we just use specific APIs for each of these services and connect directly (using Js SDK)?

2. If we do have to use cognito how do we save local data i.e logged in user/ identity? is that what cognito sync is for or do we have to use cookies ?

In summary why do I need cognito when I can directly connect to DynamoDB using the JavaScript SDK?! Thank you in Advance.

Answer 1

Amazon Cognito can be decomposed in two sub-services: Amazon Cognito Identity and Amazon Cognito Sync.

Think of the former as an authentication service and a credentials provider. The latter is just a service to store user data and keep it synchronized between multiple devices.

What is the purpose of Amazon Cognito Identity?

Suppose that you have a table in DynamoDB. Let's say that you have a web application that will store an item on that table.

You can create an user in IAM, embed the credential information on the web application, and then put the item on the table using the AWS SDK.

There are three things going on here:

• The credentials are embedded in the application
• The credentials do not expire.
• Every user in your application has the same access rights on your table

This may be fine for some applications, but Amazon Cognito Identity offers a solution to these common problems.

Let me explain Cognito Identity's workflow:

1. An user registers an account on your application, sending all the information (username, password, other data...) to your server.
2. The server stores the user in some back-end database (it could be a DynamoDB table) and creates a new identity on the Cognito service. This identity is then mapped to this user.
3. The user can now login into your application. The user logins and sends username and password to your server. (This process could be done automatically after account registration)
4. The server checks the username and password against your back-end database. If everything is right, then the server makes a request to Amazon Cognito for a temporary access token.
5. The web application receives the token and makes a request to Amazon Cognito (using that access token) to get the user credentials. These credentials are basically a temporary IAM user that was created specifically for this user. It will have an expiration (usually an hour).
6. The web application uses these credentials to make operations on AWS, such as putting an item on a DynamoDB table, or calling a Lambda.
7. When the credentials expire, the user must re-login into the application. This might be done automatically or not, depending on your application's requirements.

On the Amazon Cognito dashboard, you can configure roles and policies for your "identities" (an user in Cognito). This way you can specify which services it can access. It even allows you to create access roles for your users (Admin users may be able to access some services that normal users should not).

I should also note that Amazon Cognito can be easily adapted to support Facebook / Google+ / Amazon accounts, which will be mapped to the same identity, so the user can login via multiple sources.

What is the purpose of Amazon Cognito Sync?

Consider it like a DynamoDB table where you store information for a specific user. These information is shared between multiple devices and is always synchronized. This means that when a web application updates an user value, then the mobile application will automatically reflect this change.

There is a limit on how much user data you can store (I don't remember now), so it's not something you would use to persist information (such as an user password), but rather a mean to share information.