4.3k

All integrations
AWS Cognito
Identity providers

Cerbos authorization for AWS Cognito

AWS Cognito authenticates users and manages user pools with groups, custom attributes, and federated identities. Cerbos uses Cognito's user pool data to make fine-grained authorization decisions that go beyond what Cognito's built-in group-based access control can express.

User pool groups in policies

User pool groups in policies

Map Cognito user pool groups from the cognito:groups claim directly to Cerbos principal attributes for policy evaluation

Custom attributes

Custom attributes

Use Cognito custom attributes like department, tenant ID, and team as context in Cerbos authorization policies

AWS-native identity

AWS-native identity

Works with Cognito user pools, federated identities, and IAM integration to add fine-grained application-level authorization

How Cerbos works with AWS Cognito

AWS Cognito handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with AWS Cognito

  1. Users authenticate via Cognito, Cognito handles user pool sign-in, hosted UI, social login, and SAML/OIDC federation. Users are assigned to user pool groups and have custom attributes set on their profile.
  2. Verify the Cognito token, Your application (Lambda, API Gateway, or backend service) verifies the Cognito-issued JWT and extracts the cognito:groups claim, custom attributes, and user metadata.
  3. Send identity and resource context to Cerbos, Pass the Cognito user sub, groups, and custom attributes as principal attributes alongside the target resource and action to the Cerbos PDP.
  4. Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Cognito identity data and resource context, returning allow or deny. Your application enforces the result.

FAQ

How does Cerbos use Cognito user pool groups?

Cognito user pool groups are included in the cognito:groups claim in the ID and access tokens. Cerbos receives these groups as principal attributes, enabling policies that go beyond group membership checks. You can combine Cognito groups with resource attributes and request context for fine-grained decisions like "members of the Editors group can only edit articles in their assigned region."

Can I use Cognito custom attributes in Cerbos policies?

Yes. Cognito user pools support custom attributes (prefixed with custom:) like department, team, or tenant ID. These are included in the ID token and can be passed to Cerbos as principal attributes. Your policies can reference these custom attributes alongside Cognito groups for precise authorization rules.

Does this work with Cognito federated identities?

Yes. Whether users authenticate directly against a Cognito user pool or federate through SAML, OIDC, or social providers, the resulting Cognito token contains the same groups and attributes. Cerbos works with the Cognito token regardless of how the user originally authenticated.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers
Duende
Duende IdentityServerDuende IdentityServer claims and scopes evaluated by Cerbos in .NET apps
Identity providers

Cerbos + AWS Cognito

  • Cerbos extends AWS Cognito roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines