Setup AWS Cognito on the Fly for Open search Authentication

Govind Kumar
5 min readMay 30, 2022

AWS Cognito — what is it?

AWS Cognito is Amazon’s authentication management and data synchronization service. It is simple and safe to use. With this service, you can set up with ease authentication credentials within your mobile and web applications, which include Google, Amazon, and Facebook. AWS supports unauthenticated guests as well. What’s more? It lets you save any kind of data, including app data, in the AWS cloud. In addition, app data is saved on local devices and synchronized across platforms and devices. Amazon recognizes that today, analytics is not just a buzzword but a discipline that drives modern businesses, big or small. For this reason, AWS Cognito integrates with AWS Pinpoint to give you analytics on user behavior.

Advantages of AWS Cognito

To rehash, you can effortlessly add authentication information to your mobile and web apps using AWS Cognito. It’s safe because it supports multi-factor authentication (MFA) and enforces password policies. It’s simple because most of its features can be used without any programming or infrastructure setup effort. Furthermore, this service comes with Amazon’s legendary reputation for scalability. Although it allows guest logins, you have fine-grained control over the level of access they enjoy.

Combining these features with the replication and synchronization features in AWS Cognito, you save a lot of time in handling user management, authentication, and syncing across devices. These features also mean you enjoy the same experience on your mobile, desktop, or social media. Besides, you have much more time to focus on app development, because you’re not bogged down by having to configure and manage routine admin tasks. With AWS Cognito, your apps will work offline as well, because it also stores app data locally on users’ devices.

Having briefly introduced you to the basics and benefits of AWS Cognito, we’ll now show you how easy it is to setup AWS Cognito.

Step1: Set up Amazon Cognito

In order to create an Amazon Cognito user pool,

1) Open the AWS Management Console and sign in.

2) Type Cognito in the search box, and choose “Cognito” in the drop-down list.

3) On the main splash page, choose to “Manage your User Pools”. Then choose to “create a user pool.”

4) Give the user pool a name.

5) You can step through the settings or choose the defaults. For now, choose “Review defaults”.

6) Scroll down, and choose “Create pool”.

Step2: Creating a domain name in Cognito

Before you can integrate with Amazon ES, you need to create an Amazon Cognito domain name. This name can be the same or different from your Amazon ES domain name. It provides Amazon Cognito with DNS to support the authentication UI. In order to do so,

1) Choose your user pool to view the details

2) Choose Domain name in the navigation pane.

3) Type a name in the text box and click on choose “Save changes”.

Step3: Create an Identity pool

Next, you create an identity pool,

1) At the top of the console, choose Federated Identities.

2) If you haven’t created any identity pools yet, you’ll drop into a wizard for creating a new identity pool. Give your identity pool a name.

3) Then select the “Enable access to unauthenticated identities” checkbox.

4) Choose “Create Pool”. You are redirected to the AWS Identity and Access Management (IAM) console to create roles for unauthenticated and authenticated users.

Please note that if you choose View Details, you see that two role policies were created for you: Cognito_<identity pool name>Auth_Role and Cognito_<identity pool name>UnAuth_Role. By default, when you sign in to Kibana, you assume the Auth_Role. Unauthenticated users assume the UnAuth_role.

5) Choose “Allow”.

Step4: Create an Amazon ES domain

For more details on creating an AWS Elasticserach domain, please refer to the below-mentioned documentation:[1]

While creating the domain, in Kibana authentication, please click on the “enable amazon Cognito authentication” and fill in the below-mentioned details:

1) Select the checkbox to Enable Amazon Cognito for authentication. This reveals settings for Amazon Cognito.

2) For Cognito User Pool, choose the name of the Cognito user pool created.

3) For Cognito Identity Pool, choose the name of the Cognito identity pool.

4) Leave the default settings for IAM Role Name and Role Policy.

Step5: Set an access policy for the domain

Further, to set an access policy for the domain,

1) Choose Allow or deny access to one or more AWS accounts or IAM users.

2) Copy your AWS account ID and paste it into the Account ID or ARN box.

3) Choose “OK”, and then choose “Next” on the main page. You will set up access to the domain in Amazon Cognito, but you need to set a policy on the Amazon ES domain to create it. Review the configuration, and choose Confirm.

Step6: Create a user and a group

Now you need to add a user group and a user and modify the IAM policy to sign in to Kibana. In order to do so,

1) Navigate to the Amazon Cognito console, and choose to “Manage your User Pools”.

2) Choose the user pool which was created.

3) In the navigation pane, choose “Users and groups”. Then choose to “Create a user”.

4) In the resulting dialogue box, type a Username, Temporary password, and Email. Clear the “Mark phone number as verified?” checkbox.

5) Choose to “Create a user”. You return to the Users and groups page, where you should see your new user.

6) Choose the “Groups tab”, and then choose “Create group”.

7) In the resulting dialogue box, type a Name and a Description. Leave the IAM role blank, and “set the Precedence to 0”. Then choose “Create group”.

Step7: To modify the elastic search domain policy

Once the Elasticserach domain is created, you need to change the domain’s policy to provide access for the Auth_Role. In order to do so, navigate to the Amazon ES console, choose your domain, and choose to “Modify access policy”. Change the Principal to the ARN for the assumed Auth role similar to the below mentioned one:


“Principal”: {

“AWS”: “arn:aws:sts::<your account id>:assumed-role/Cognito_<your identity pool name>Auth_Role/CognitoIdentityCredentials”



Then choose Submit. Wait for the Domain Status to become Active. Choose the Kibana URL to open it. You would see a sign-in dialogue box and using that Sign in assure created to access the Kibana.



Govind Kumar

Technology Evangelist | Practice Lead Cloud Migration @Axcess IO | Cloud Arch. | RHC(SA/E) | AWS (DevOps/Sol. Arch) — Pro. | CCNA | AWS Networking Speciality.