Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AWS identity service that handles user sign up, sign in, multi factor authentication, password recovery and federation with social or enterprise identity providers for web and mobile apps.
Amazon Cognito is the identity service of AWS. It provides user pools to sign up and authenticate end users with email, phone, social logins (Google, Facebook, Apple, SAML, OIDC), multi factor authentication and password recovery, and identity pools that grant temporary AWS credentials to authenticated users so an app can call AWS APIs on their behalf.
Cognito processes account attributes (email, phone, custom claims), passwords, MFA secrets, OAuth and OIDC tokens, IP addresses, device fingerprints (when advanced security is enabled) and login activity. The hosted UI sets first party cookies on the auth domain (XSRF token, session cookie) and the client app typically stores ID, access and refresh tokens in cookies or browser storage.
Cookies and tokens used to keep a user signed in are strictly necessary under Article 5(3) of the ePrivacy Directive and do not require prior consent. AWS acts as a processor under the AWS Data Processing Addendum, which includes Standard Contractual Clauses and references the EU US Data Privacy Framework. Advanced security features (adaptive authentication, compromised credentials check) involve risk based profiling that should be disclosed in the privacy notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
You do not need consent to authenticate a user with Cognito. You do need consent when the login flow loads third party social federation widgets that set tracking cookies (Google, Facebook, Apple), and you must inform users that signing in via a social provider shares some identifiers with that provider.
Cognito user pools and identity pools store data in the AWS region you choose. To minimise transfers, deploy in eu west 1 (Ireland), eu central 1 (Frankfurt), eu west 3 (Paris), eu south 1 (Milan), eu north 1 (Stockholm) or eu west 2 (London). Administrative metadata, support tickets and operational telemetry can still be processed by AWS staff in the United States under SCCs and the EU US Data Privacy Framework.
Sign the AWS DPA, select an EU AWS region, enforce strong password policy and MFA, set token validity to a reasonable lifetime, restrict admin actions through IAM roles, log CloudTrail and Cognito events for accountability, document data subject rights workflows (export, deletion via AdminDeleteUser API), and run a DPIA when advanced security features or large scale identity processing are activated.
Websites using Amazon Cognito must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Cognito is used for large scale authentication, when it processes sensitive categories (health, public sector identity), when it federates with multiple third party identity providers, or when advanced security features perform risk based profiling of user devices and IP addresses.
Sample consent text
We use Amazon Cognito (Amazon Web Services) to manage user accounts, sign in and authentication. Authentication cookies and tokens are strictly necessary to keep you signed in. If you choose to log in with a third party provider (Google, Facebook, Apple), those providers may receive your identifiers under their own terms.
Third-party domains contacted
auth.<region>.amazoncognito.comcognito-idp.<region>.amazonaws.comcognito-identity.<region>.amazonaws.comamazoncognito.comamazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| XSRF-TOKEN | http | Session | CSRF protection for the Cognito Hosted UI login forms. |
| cognito-fl | http | Session | Flag cookie used by the Hosted UI to track multi step login flows. |
| csrf-state | http | 10 minutes | Stores the state parameter used during OAuth and federation flows to prevent replay attacks. |
| CognitoIdentityServiceProvider.<clientId>.<sub>.idToken | http | 1 hour (configurable) | Stores the OpenID Connect ID token issued to the authenticated user. |
| CognitoIdentityServiceProvider.<clientId>.<sub>.accessToken | http | 1 hour (configurable) | Stores the OAuth 2.0 access token used to call protected APIs. |
| CognitoIdentityServiceProvider.<clientId>.<sub>.refreshToken | http | 30 days (configurable, up to 10 years) | Allows the client to obtain new access and ID tokens without re authentication. |
| CognitoIdentityServiceProvider.<clientId>.LastAuthUser | http | Persistent | Stores the username of the last user signed in on this device. |
Amazon Cognito is an essential service, but transparency matters. Manage all your consent with FlowConsent.
The Hosted UI sets XSRF-TOKEN, csrf-state and a flow cookie on its own auth.<region>.amazoncognito.com domain. Once authenticated the client app stores ID, access and refresh tokens, typically as CognitoIdentityServiceProvider.* cookies or browser storage entries.
No for authentication itself: session cookies and tokens are strictly necessary. Yes for any social login button that loads Google, Facebook or Apple SDKs that set their own tracking cookies, and yes if advanced security features build a behavioural profile beyond what is required for security.
Article 6(1)(b) GDPR (contract performance) covers account creation, login and password management. Article 6(1)(f) (legitimate interest) covers fraud prevention, abuse mitigation and security audit logs. Consent (Article 6(1)(a)) is needed for optional federation that exposes data to third parties.
Customer data stays in the AWS region you select. Administrative metadata, support requests, and operational telemetry can be processed in the United States by AWS staff, under Standard Contractual Clauses and the EU US Data Privacy Framework as described in the AWS DPA.
A DPIA is recommended (and may be mandatory under Article 35 GDPR) for large scale identity processing, public sector identity, sensitive sectors (health, finance), or when adaptive authentication and risk based profiling are enabled.
Pick an EU AWS region, sign the AWS DPA, enforce MFA, restrict token lifetimes, manage admin access via IAM roles, log via CloudTrail, expose data subject rights flows (export and AdminDeleteUser), and limit the user attributes collected to what is strictly required.
Other identity providers include Auth0, Okta Customer Identity, Microsoft Entra External ID, Keycloak (self hosted), FusionAuth, Ory Hydra/Kratos, Clerk, WorkOS and Supabase Auth. Each has its own residency, pricing and integration model that must be evaluated separately.
Run a cookie scan focused on the auth and callback pages, list the strictly necessary Cognito cookies (XSRF-TOKEN, csrf-state, token storage), note that they are first party on your auth domain, and document any third party social login cookies that are loaded on user action.