Context sources

Enrich authorization with AWS Cognito user data

Automatically pull user profiles, group memberships, and custom attributes from AWS Cognito into your Cerbos policy evaluations, no application code changes required.

AWS Cognito context

Automatically enrich authorization requests with user profiles and group memberships from AWS Cognito

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with AWS Cognito

Authorization decisions are only as good as the data behind them. AWS Cognito provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With AWS Cognito as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

Richer authorization decisions with AWS Cognito

When your users authenticate through AWS Cognito, their JWT tokens carry a limited set of claims. But Cognito stores much more, group memberships, custom attributes, account metadata, and MFA status. Cerbos identity enrichment makes all of this data available in your authorization policies without requiring your application to fetch and forward it.

How it works

Your application sends an authorization request with the user's Cognito subject identifier.
Cerbos Synapse fetches the user's Cognito profile via a proxy extension — groups, custom attributes, account status, and any other configured fields.
Enriched data is available in your policies as principal attributes, enabling rules like "users in the admin Cognito group can approve expenses over $10,000."
Results are cached to keep authorization latency low while ensuring data freshness.

Beyond token claims

JWT tokens have practical size limits and typically carry only a subset of user data. With Cognito enrichment, your policies can reference the full user profile, group hierarchies, custom attributes set by your onboarding flow, verification status, and more, without inflating your tokens.

Get started

Cognito identity enrichment is available as part of Cerbos Synapse. Talk to us to learn more about enriching your authorization decisions with AWS Cognito data.

FAQ

How does Cognito enrichment work?

When Cerbos evaluates an authorization request, it can automatically fetch the user's profile from Cognito, including group memberships, custom attributes, and account status. This data is available in your policies as principal attributes, so you can write rules based on Cognito groups, custom fields, or any other user property.

Does this add latency to authorization checks?

Cerbos caches identity data to minimize the impact on decision latency. Cached data is refreshed based on configurable TTLs, balancing freshness against performance.

Do I need to modify my application to send Cognito data?

No. Your application sends a standard authorization request with the user's identifier. Cerbos handles the Cognito lookup and enrichment transparently, your application code stays unchanged.