4.2k

All integrations
AWS Cognito Enrichment
Context sources

Enrich authorization with AWS Cognito user data

Automatically pull user profiles, group memberships, and custom attributes from AWS Cognito into your Cerbos policy evaluations, no application code changes required.

AWS Cognito context

AWS Cognito context

Automatically enrich authorization requests with user profiles and group memberships from AWS Cognito

Cached responses

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with AWS Cognito

Authorization decisions are only as good as the data behind them. AWS Cognito provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With AWS Cognito as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Richer authorization decisions with AWS Cognito

When your users authenticate through AWS Cognito, their JWT tokens carry a limited set of claims. But Cognito stores much more, group memberships, custom attributes, account metadata, and MFA status. Cerbos identity enrichment makes all of this data available in your authorization policies without requiring your application to fetch and forward it.

How it works

  1. Your application sends an authorization request to Cerbos with the user's Cognito subject identifier.
  2. Cerbos fetches the user's Cognito profile, groups, custom attributes, account status, and any other configured fields.
  3. Enriched data is available in your policies as principal attributes, enabling rules like "users in the admin Cognito group can approve expenses over $10,000."
  4. Results are cached to keep authorization latency low while ensuring data freshness.

Beyond token claims

JWT tokens have practical size limits and typically carry only a subset of user data. With Cognito enrichment, your policies can reference the full user profile, group hierarchies, custom attributes set by your onboarding flow, verification status, and more, without inflating your tokens.

Get started

Cognito identity enrichment is available as part of Cerbos enterprise. Talk to us to learn more about enriching your authorization decisions with AWS Cognito data.

FAQ

How does Cognito enrichment work?

When Cerbos evaluates an authorization request, it can automatically fetch the user's profile from Cognito, including group memberships, custom attributes, and account status. This data is available in your policies as principal attributes, so you can write rules based on Cognito groups, custom fields, or any other user property.

Does this add latency to authorization checks?

Cerbos caches identity data to minimize the impact on decision latency. Cached data is refreshed based on configurable TTLs, balancing freshness against performance.

Do I need to modify my application to send Cognito data?

No. Your application sends a standard authorization request with the user's identifier. Cerbos handles the Cognito lookup and enrichment transparently, your application code stays unchanged.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Data Source Extensions
Data Source ExtensionsReusable data connectors with built-in caching for the Cerbos authorization pipeline
Context sources
Entra ID Enrichment
Microsoft Entra IDResolve Entra ID security groups and directory roles for policy evaluation
Context sources
External API
External APICall external services to fetch context data for policy evaluation
Context sources
Keycloak Enrichment
KeycloakPull realm roles, client roles, and group paths from Keycloak into policies
Context sources
LDAP Enrichment
LDAPQuery any LDAPv3 directory for user attributes and group memberships
Context sourcesIdentity providers
Litestream
LitestreamRead Litestream-replicated SQLite databases as a policy data source
Context sources

Cerbos + AWS Cognito

  • Authorization decisions enriched with real-time AWS Cognito data
  • Context enrichment configured at the policy layer, not in application code
  • Identity attributes and business context combined in policies
  • Centrally managed authorization logic across the stack
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines