← Back to Skills Marketplace
encryptshawn

AWS Cognito Auth

by EncryptShawn · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
105
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install aws-cognito
Description
Use this skill for ANY task involving AWS Cognito — user pools, identity pools, authentication flows, token handling, social/enterprise federation, MFA, Lamb...
README (SKILL.md)

AWS Cognito Skill

This skill helps you build, configure, debug, and manage AWS Cognito resources — user pools, identity pools, app clients, Lambda triggers, federation, and integrations with other AWS services.

Quick Decision: What Does the User Need?

  1. New Cognito setup from scratch → Read references/setup-guide.md, then follow the setup workflow
  2. CDK / CloudFormation / Terraform IaC → Read references/iac-patterns.md for production-ready templates
  3. Authentication flow implementation → Read references/auth-flows.md for SDK code and flow selection
  4. Debugging / troubleshooting → Read references/troubleshooting.md for common issues and fixes
  5. Lambda triggers → Read references/lambda-triggers.md for trigger patterns
  6. Security hardening → Read references/security.md for best practices

Read the relevant reference file(s) before generating any code or configuration. Multiple files may apply — for example, a new CDK setup would benefit from both setup-guide.md and iac-patterns.md.

Core Concepts (Always Keep in Mind)

User Pools vs Identity Pools

These are the two main Cognito components and they serve different purposes:

  • User Pool: A user directory and OIDC identity provider. Handles sign-up, sign-in, MFA, token issuance (ID token, access token, refresh token), and federation with external IdPs. Think of it as "who is this user?"
  • Identity Pool (Federated Identities): Exchanges tokens (from a user pool, social provider, SAML, or OIDC) for temporary AWS credentials (STS). Think of it as "what AWS resources can this user access?"

A common architecture uses both: User Pool authenticates the user and issues tokens → Identity Pool exchanges those tokens for AWS credentials → User accesses S3, DynamoDB, etc.

Feature Plans (Pricing Tiers)

As of late 2024, Cognito uses feature plans instead of the old "advanced security" toggle:

  • Lite: Low-cost, basic auth features. Good for simple apps with fewer MAUs.
  • Essentials (default for new pools): All latest auth features including access-token customization and managed login.
  • Plus: Everything in Essentials plus threat protection (adaptive auth, compromised credential detection).

Always ask the user which plan they need, or default to Essentials for new setups.

Token Types

  • ID Token: Contains user identity claims (email, name, groups, custom attributes). Use for identity verification on your backend.
  • Access Token: Contains scopes and authorized actions. Use for API authorization (e.g., API Gateway Cognito Authorizer).
  • Refresh Token: Long-lived token to obtain new ID/access tokens without re-authentication. Default validity is 30 days.

Workflow: Building a Cognito Solution

Step 1: Clarify Requirements

Before writing any code, determine:

  • Auth methods: Username/password? Email-only? Phone? Social login (Google, Apple, Facebook)? Enterprise SAML/OIDC?
  • MFA: Required, optional, or off? SMS, TOTP authenticator app, or email?
  • Self-service sign-up: Enabled or admin-only user creation?
  • Token usage: Frontend-only (SPA/mobile)? Backend API authorization? Direct AWS resource access?
  • IaC preference: CDK (TypeScript/Python), CloudFormation, Terraform, or console/CLI?
  • Frontend framework: React/Amplify, Next.js, Vue, mobile (iOS/Android), or custom?

Step 2: Design the Architecture

Based on requirements, determine:

  • User Pool configuration (sign-in aliases, attributes, password policy, MFA)
  • App client(s) — public (no secret, for SPAs/mobile) vs confidential (with secret, for server-side)
  • OAuth flows — Authorization Code (with PKCE for public clients), Implicit (legacy, avoid), Client Credentials (M2M)
  • Whether an Identity Pool is needed (only if users need direct AWS resource access)
  • Lambda triggers needed (pre-sign-up, post-confirmation, pre-token-generation, custom auth, etc.)
  • Domain — Cognito-hosted prefix domain or custom domain

Step 3: Implement

Read the appropriate reference files and generate code. Always:

  • Use the latest CDK v2 constructs (aws-cdk-lib/aws-cognito) — never CDK v1
  • For SDK code, use AWS SDK v3 (@aws-sdk/client-cognito-identity-provider) — never v2
  • For frontend, prefer Amplify v6 (aws-amplify) patterns
  • Include proper error handling and token refresh logic
  • Set RemovalPolicy.RETAIN on user pools in production (data loss prevention)
  • Never hardcode secrets — use environment variables or AWS Secrets Manager

Step 4: Security Review

Before declaring done, verify against references/security.md:

  • MFA is enabled (at least optional) for production
  • Password policy meets requirements (minimum 8 chars, complexity rules)
  • Token validity periods are reasonable
  • WAF is considered for public-facing auth endpoints
  • Least-privilege IAM for any Identity Pool roles
  • Client secrets are used for confidential clients
  • HTTPS-only callback URLs

Common Patterns Quick Reference

Cognito + API Gateway

Use a Cognito User Pool Authorizer on API Gateway. The access token is validated automatically. Scopes in the token control which API methods are accessible.

Cognito + AppSync

Configure AMAZON_COGNITO_USER_POOLS authorization on your GraphQL API. Use @auth directives in your schema for fine-grained access control.

Cognito + S3 (via Identity Pool)

User Pool → Identity Pool → IAM role with S3 permissions scoped to ${cognito-identity.amazonaws.com:sub}/* for per-user folders.

Cognito + Lambda (Custom Auth)

Use CUSTOM_AUTH flow with Define, Create, and Verify Auth Challenge triggers for passwordless (magic link, OTP) or multi-step authentication.

Machine-to-Machine (M2M)

Use Client Credentials grant with a resource server and custom scopes. No user interaction — one app authenticating to another.

Important Reminders

  • User pool attributes marked as required at creation CANNOT be changed later. Plan attributes carefully.
  • Custom attributes are always prefixed with custom: (e.g., custom:company).
  • The sub attribute is the unique, immutable user identifier. Use it as your primary key, not email or username.
  • Email/phone verification is separate from sign-in aliases. Auto-verify what you use for sign-in.
  • Cognito has service quotas (e.g., API request rate limits). For high-volume apps, request quota increases proactively.
  • Lambda triggers execute synchronously and have a 5-second timeout. Keep them fast.
Usage Guidance
This skill is a documentation/authoring helper for AWS Cognito and appears internally consistent. It will show and generate code that expects you to provide AWS credentials, environment variables (USER_POOL_ID, CLIENT_ID, USERS_TABLE, etc.), and possibly Secrets Manager entries when you deploy the generated Lambdas/clients — but the skill does not itself collect or require those secrets. Before using it: 1) do not paste long-lived AWS credentials into chat; prefer IAM roles with least privilege for admin operations and use Secrets Manager for client secrets; 2) review any generated Pre-Token-Generation or Lambda trigger code carefully — these modify tokens and can elevate claims (e.g., inject admin roles) if misused; 3) ensure token storage and refresh patterns follow the security guidance in the references (avoid localStorage, use HttpOnly cookies or platform-provided secure storage); 4) when deploying triggers, verify they run within the 5s Cognito timeout and have appropriate IAM permissions scoped to specific resources; 5) confirm you are comfortable granting whatever runtime AWS credentials are necessary to execute the code the skill generates. If you want the skill to perform live AWS actions on your behalf, ask the publisher how it expects credentials to be provided and audited; otherwise using it as a documentation/authoring aid is low-risk.
Capability Analysis
Type: OpenClaw Skill Name: aws-cognito Version: 1.0.0 The AWS Cognito skill bundle is a comprehensive and well-documented resource for managing authentication and authorization. It includes high-quality code snippets for AWS SDK v3, Amplify v6, and various IaC tools (CDK, Terraform, CloudFormation) that follow industry best practices. The documentation, particularly in security.md and lambda-triggers.md, emphasizes security-first configurations such as MFA, WAF integration, and least-privilege IAM roles, with no evidence of malicious intent, data exfiltration, or prompt injection.
Capability Assessment
Purpose & Capability
Name/description (AWS Cognito guidance, code patterns, IaC, triggers, security) match the provided content: lots of documentation and examples for Cognito use-cases. The skill does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md directs the agent to read the included reference files and generate code/config. The references include sample Lambda handlers and SDK/CDK code that call AWS APIs, use environment variables (e.g., USER_POOL_ID, CLIENT_ID, USERS_TABLE) and recommend using AWS credentials/Secrets Manager for admin actions — which is expected for a Cognito skill, but the guidance implicitly assumes the user will supply AWS creds when they deploy/run generated code.
Install Mechanism
No install spec and no code files that would be executed by the platform; this is instruction-only, so nothing downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables (none requested), which is reasonable for an instruction-only skill. However the included examples reference many env vars and AWS credentials for admin/API operations; be aware you will need to provide appropriate AWS credentials and secrets when you run generated code. The skill itself does not attempt to read or demand those secrets at install time.
Persistence & Privilege
always:false, no installers, and no modification of other skills or system-wide settings. Autonomous invocation is enabled (default) but is not combined with other concerning privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aws-cognito
  3. After installation, invoke the skill by name or use /aws-cognito
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Major update: The skill now exclusively focuses on AWS Cognito, covering user pools, identity pools, authentication flows, Lambda triggers, federation, security, and integration patterns. - Added comprehensive reference files for setup, infrastructure-as-code templates, auth flows, troubleshooting, triggers, and security best practices. - Improved setup and architecture guidance, with clear workflows for new builds, IaC deployment, debugging, and secure production usage. - Outlines preference for latest AWS toolchain versions (CDK v2, AWS SDK v3, Amplify v6) and includes patterns for API Gateway, AppSync, S3, Lambda, and machine-to-machine usage. - Emphasizes Cognito’s updated feature plans (Lite, Essentials, Plus) and highlights critical design and security considerations.
Metadata
Slug aws-cognito
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is AWS Cognito Auth?

Use this skill for ANY task involving AWS Cognito — user pools, identity pools, authentication flows, token handling, social/enterprise federation, MFA, Lamb... It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.

How do I install AWS Cognito Auth?

Run "/install aws-cognito" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AWS Cognito Auth free?

Yes, AWS Cognito Auth is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AWS Cognito Auth support?

AWS Cognito Auth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AWS Cognito Auth?

It is built and maintained by EncryptShawn (@encryptshawn); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments