Over a million developers have joined DZone.

Serverless User Management Using AWS Cognito and Lambda

DZone 's Guide to

Serverless User Management Using AWS Cognito and Lambda

This tutorial will show you the basics of constructing an operational backend for your login and registration process.

· Cloud Zone ·
Free Resource

Image title


We will discuss the capabilities of AWS Cognito and Lambda to create a complete user management system without maintaining any servers or database. We will also present the configuration of Amazon Cognito and Lambda functions to demonstrate the usage of multiple the SDKs of Cognito.

Other components which are used in the architecture.

  • API Gateway
  • CloudWatch
  • AppSync and Amplify (Sample Federated Identities)


Let’s look at the high-level architecture. The website is a responsive user self-service portal with the following functionalities are incorporated

  1. User sign-up
  2. Confirmation of email
  3. User login
  4. User signout
  5. Forget password function
  6. Inventory page (Another AWS Service: AppSync)
  7. User details

The inventory page (AWS AppSync) is a different topic which has been incorporated into the frontend responsive web app as an integration plugin using AWS Amplify. The configuration is not part of this post. However, we will show how pre-configured Cognito user pools are used as federated identity services in AppSync and Amplify to validate authorization.


In the above diagram, we have all the API Gateways which are endpoints to all the fleets of Lambda implementing the Cognito User Management Function. The User Management System is defined in the following ways:

  • User signs up using their first and last names, email. and password.
    • Provided all the validation policies satisfy, the user is created as UNCONFIRMED and an email is sent to the userName with a link.
  • When the User clicks on the above link, they become CONFIRMED users inside the Cognito user pool and are able to log in using the same password.

Cognito User Pool Configuration

We configure the pool with the password policies and other mandatory attributes link given_name (firstName), family_name (lastName) and email (username). We customize the body of the email which will be sent when the user signs up.

Once the above configuration is completed in the Cognito Console. We take note of the  Pool_Id  and  App Client Id  which will be used for integrating the SDK’s of Cognito in the Lambda Functions.

Triggers (Optional): The User Pool also has options of multiple triggers which can be added which any users are added in the pool. However, we will skip these section as it an optional and can be used if we need to invoke any other services along with the Cognito.

API Gateway and Lambda Configuration

We have created the rest endpoints using API Gateway and integrated the back end with lambda functions which consume the Cognito SDKs where we provide the App Client Id and Pool Id which were created above.

The Python implementation above is an example of the sign-up functionality using Cognito SDK in the lambda serverless services. We have similar implementations of all the other functionalities of user management likesign_in , signout , forgotpassword . All of these implementations are exposed by a separate API endpoints.

Sample Request for Sign-in

Sample Response for Sign-in

Once the user is confirmed, then 3 tokens are fetched using the sign-in functions. All of these tokens have their own importance which can be read in this post.

Using Cognito as Authority Identity Federated Services

In the responsive web app, we have use Amplify and AppSync to implement the user inventory table functionality mentioned above. 

These are only one of the few services which are shown in the example; however, this can be extended to multiple important services of AWS like S3, DynamoDB. Cognito User Pool and Identity Federation Pool can be utilized to perform an important secured user management system.


The above example shows how Cognito can be used to maintain user data’s as well as cater to the web app responsive tool using the toggle between Confirmed and Unconfirmed status. This same orchestration can be extended to many of the other services which can take advantage of these authorization capabilities of the user pool and identity federation to control who can access or who are denied from any services. There is no need of provisioning of database or any 3pp to maintain the user data’s or status.

serverless ,aws ,lambda ,user management ,login ,registration

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}