Just Learn Code

Building a Secure Authentication System with Amplify Auth and AWS CDK

Building A Secure Authentication System with AWS CDK and Amplify Auth

Authentication is an essential component of every web application, and, as such, it is critical that you provide a secure and reliable authentication system for your application users. AWS provides several services that can be used to create a secure authentication system, and in this article, we will guide you through implementing Amplify Auth with React using AWS CDK.

Infrastructure Provisioning with AWS CDK

AWS Cloud Development Kit (CDK) is an infrastructure-as-code (IAC) tool that allows developers to define AWS infrastructure using familiar programming languages such as TypeScript, JavaScript, Python, C#, and Java. The tool makes it easier for developers to define and provision AWS infrastructure because the code is reusable and automatically generates CloudFormation templates.

To get started with AWS CDK, you need to install Node.js and the AWS CLI. After installation, create a new project folder and initialize the CDK project using the following commands:


mkdir my-project

cd my-project

cdk init –language=typescript


After initialization, you can add the necessary AWS services to your application using the AWS CDK constructs provided by AWS. The infrastructure you create can then be tested locally using the AWS CDK CLI.

Complete Amplify Authentication Flow

Amplify Auth is a managed service provided by AWS that simplifies the process of adding authentication to your application. The service provides a complete authentication flow which includes registration, user sign-in, and password reset functionality.

To use Amplify Auth, you need to install the Amplify CLI, which provides a command-line interface for creating and managing AWS resources. After installation, create a new Amplify project and add the Amplify Auth service by running the following commands:


amplify init

amplify add auth

amplify push


The above commands will create an authentication system for your application, complete with a user sign-up and sign-in pages. You can customize the authentication flow by modifying the configuration files generated by Amplify.

User Profile Fields in Cognito

Amazon Cognito is a managed service provided by AWS that simplifies the process of handling user authentication and authorization. Cognito allows you to create and manage user pools for your application, providing the necessary authentication and authorization functionality for your application.

Cognito allows you to customize user profile fields to store additional user data beyond the default attributes such as name, email, and phone number. You can add custom attributes to user profiles using the AWS Management Console, the AWS CLI, or the Cognito API.

To add a custom attribute to a Cognito user profile using the AWS CLI, run the following command:


aws cognito-idp add-custom-attributes


–cli-input-json file://custom-attributes.json


Custom Cognito Emails with Lambda Trigger

You can customize the design and content of Cognito emails by leveraging AWS Lambda. By using a Lambda trigger, you can customize the email that is sent to a user when they sign up or reset their password.

To add a Lambda trigger for email customization, you need to write a Lambda function that implements one of the Lambda trigger interfaces provided by Cognito. After writing the Lambda function, you can configure Cognito to invoke the function when a particular trigger event occurs.

Join User to a Cognito Group on Account Confirmation

Cognito groups allow you to manage and secure your application users’ access to AWS resources. Groups can be used to grant access to different parts of your application, depending on the user’s role.

To add a user to a Cognito group automatically on account confirmation, you need to add a Lambda trigger function that executes when a user’s account is confirmed. The Lambda function can then add the user to a predefined group.

Avatar Uploads to S3 using Presigned URLs

Amazon S3 is a managed service provided by AWS that makes it easy to store and retrieve any amount of data. S3 can be used to store user avatars and profile pictures, and using presigned URLs, you can allow users to upload their avatars directly to S3.

Presigned URLs are URLs that are signed with AWS access keys, allowing users to upload data directly to your S3 bucket without requiring server-side code. Presigned URLs have a fixed expiration time, and can only be used for a specific AWS resource.

To generate presigned URLs for your users, you need to create a Lambda function that generates the URL and returns it to the client-side code. The URL can then be used by the user to upload their avatar directly to S3.


In conclusion, implementing Amplify Auth with React using AWS CDK is a straightforward process that can be accomplished by following the step-by-step guide provided above. By using AWS services such as Cognito and S3, you can create a secure and reliable authentication system for your application, and customize it to meet your specific needs.

With the flexibility and power of AWS CDK, you can easily provision and manage your AWS infrastructure, making it easy to scale and secure your application. Backend Code: Building a Secure and Scalable Authentication System with AWS CDK and Amplify Auth

In the previous section, we provided an overview of how to set up an Amplify Auth project with AWS CDK.

In this section, we’ll dive deeper into the backend code to show you how to implement the different services needed to build a scalable and secure authentication system on AWS.

Initializing the CDK Stack

To set up an Amplify Auth project with AWS CDK, you’ll need to initialize the CDK stack using the @aws-cdk/aws-cognito and @aws-cdk/aws-lambda-nodejs packages. These packages provide the necessary constructs to create a user pool, group, and Lambda function.

The following code shows how to initialize the CDK stack in TypeScript:


import * as cdk from ‘@aws-cdk/core’;

import * as cognito from ‘@aws-cdk/aws-cognito’;

import * as lambda from ‘@aws-cdk/aws-lambda-nodejs’

export class AuthStack extends cdk.Stack {

constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {

super(scope, id, props);

// Create a user pool

const userPool = new cognito.UserPool(this, ‘UserPool’, {

userPoolName: ‘myUserPool’,

selfSignUpEnabled: true,


// Create a Cognito group

const group = new cognito.Group(this, ‘Group’, {

groupName: ‘myGroup’,

userPool: userPool,

description: ‘My awesome group’,


// Add a Lambda trigger to customize the email sent by Cognito

const emailLambda = new lambda.NodejsFunction(this, ‘EmailHandler’, {

entry: ‘src/lambda/email.ts’



cognito.UserPoolOperation.SIGN_UP, emailLambda





Cognito User Pool

A user pool is a user directory in Amazon Cognito. It is a collection of users who can authenticate with a specific AWS account.

With a user pool, your users can sign-up and sign-in to your application, reset their passwords, and edit their personal information. Creating a user pool with AWS CDK is quite straightforward.

In the code above, we defined a user pool and enabled self-sign up. When a user signs up for your application, they’ll receive a confirmation code in their email that they’ll need to verify before they can sign in.

Customizing Cognito Email

Cognito provides built-in email templates that you can customize to fit your application’s branding. You can customize the content and design of the emails by using Lambda triggers with Cognito.

When a user is created in Cognito, and an email needs to be sent out, your Lambda function will be invoked, allowing you to customize the email before it is sent. In the code above, we created a Lambda function for handling email customization.

The emailLambda function can be written in Node.js or any supported language. In this example, we set up a custom trigger for Cognito’s user pool operation SIGN_UP.

Cognito User Attributes

A user attribute contains a name and a value that describes something about the user. You can use attributes to assign access rights to resources or to gather information about users.

Cognito allows custom user attributes that you can use to store user data beyond the default attributes like name, email address, and phone number. To add a custom attribute to a user profile, you can use the `addCustomAttribute` method of the UserPoolClient:


const userPoolClient = userPool.addClient(‘myUserPoolClient’)



Cognito User Pool Client

A user pool client is a JavaScript or native application that communicates directly with a user pool. You can think of a client as a representation of your frontend application in Cognito.

In the example below, we create a user pool client with the `addClient` method of the UserPool:


const userPoolClient = userPool.addClient(‘myUserPoolClient’);


Once a client is created, it can be used to enable OAuth 2.0 or OpenID Connect authentication workflows using its `clientId`.

Cognito Identity Pool

An identity pool is a way to grant temporary limited access permissions to AWS resources to users coming from a third-party Identity Provider (IDP). With identity pools, you can use web identity federation, which enables users to sign in to your application using their existing Amazon, Google, Facebook, or Apple accounts.

Below is an example code that creates an identity pool with AWS CDK:


const identityPool = new cognito.CfnIdentityPool(this, “IdentityPool”, {

allowUnauthenticatedIdentities: false,



In this example, we’ve set `allowUnauthenticatedIdentities` to false, which means users must sign in to gain access to AWS resources.

API Gateway


API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, and secure APIs. You can use

API Gateway with Cognito to authenticate users who call your RESTful API. Once a user is authenticated,

API Gateway provides the `identityId` attribute that can be used to assert the user’s identity from your Lambda functions.

The following code shows an example of how to configure an

API Gateway with a

Cognito User Pool authorizer:


const authorizer = new apigateway.CognitoUserPoolsAuthorizer(this, ‘Auth’, {

cognitoUserPools: [userPool]


const api = new apigateway.RestApi(this, ‘MyApi’, {

deploy: true,

endpointTypes: [apigateway.EndpointType.REGIONAL]


const resource = api.root.addResource(‘my-resource’);

const method = resource.addMethod(‘GET’, new apigateway.LambdaIntegration(lambdaFn));

method.authorizer = authorizer;


S3 Bucket for User Avatars

Amazon S3 is a popular service for storing static assets like images, videos, and audio files. You can use S3 to store user avatars and profile pictures.

To create an S3 bucket programmatically, use the `Bucket` construct provided by AWS CDK:


const avatarBucket = new s3.Bucket(this, ‘AvatarBucket’, {

removalPolicy: cdk.RemovalPolicy.DESTROY,



In this example, we’ve set `removalPolicy` to `DESTROY` when the stack is deleted, ensuring the bucket is removed as well.

Get Presigned URL Lambda Function

To upload user avatars directly to S3, you can use presigned URLs. With presigned URLs, you don’t need to provide AWS credentials directly to your frontend application, thereby increasing the security of your system. To generate presigned URLs, you need to create a Lambda function that generates the URL and returns it to the client-side code.

Below is an example of how to create a Lambda function for generating presigned URLs in Node.js:


const s3 = new AWS.S3();

exports.handler = async function(event, context) {

const params = {

Bucket: ‘my-bucket’,

Key: ‘my-object-key’,

Expires: 60, // the URL will expire after 60 seconds


try {

const signedUrl = await s3.getSignedUrlPromise(‘putObject’, params);

return {

statusCode: 200,

headers: {

‘Access-Control-Allow-Origin’: ‘*’,


body: signedUrl,


} catch (err) {

return {

statusCode: 500,

headers: {

‘Access-Control-Allow-Origin’: ‘*’,


body: JSON.stringify(err),





This code generates a signed URL with an expiration time of 60 seconds that can be used to upload a file to S3.

Final Words

With this guide, we have shown you how to implement Amplify Auth with AWS CDK, configure Cognito, use a Lambda function for customizing Cognito emails, and generate presigned URLs for user avatar uploads to S3. We have shown you how to define the different services needed to create a secure and scalable authentication system for your web application.

With the knowledge you’ve gained, you can now create an authentication system that is well-suited to your needs. Cleanup: Deleting the CDK Stack

After you have completed the development of your authentication system, you can delete the CDK stack to avoid incurring unnecessary charges.

AWS CDK provides a simple way to delete a stack using the `

cdk destroy` command. Running this command will delete all the AWS resources created for your authentication system, including the user pool, identity pool, and S3 bucket.

To delete your stack, navigate to the project directory in the terminal and run the following command:


cdk destroy


This command will display a confirmation message before proceeding with the deletion. It is recommended to review the resources that will be deleted before proceeding.

Amplify Auth: A Complete Authentication Flow

Amplify Auth is a robust authentication service provided by AWS that provides the complete authentication flow for your application, including user registration, user sign-in, and password management. With Amplify Auth, you can quickly add secure user authentication to your application without needing to build it from scratch.

The Amplify Auth authentication flow starts with user registration. After a user registers, they receive a confirmation email with a code that they need to enter to confirm their account.

Once the user account is confirmed, the user can sign in to the application using their email and password. Amplify Auth provides a range of options for password management, including password resets and multi-factor authentication.

You can customize the authentication flow to fit your application’s specific needs with Amplify’s easy-to-use configuration settings.

Using Repository as a Quick Reference

To make it easier to follow along with the various topics covered in this article, we recommend using the accompanying GitHub repository as a quick reference. The repository contains the source code for setting up an Amplify Auth project with React using AWS CDK.

The repository includes detailed explanations of each step involved in building an authentication system securely using AWS services. The repository also provides examples of frontend code written in React that demonstrate how to use the Amplify API to authenticate users and manage user sessions.

The frontend examples include code for creating a registration page, login page, and settings page where users can update their personal information.


In conclusion, implementing Amplify Auth with React using AWS CDK is a straightforward process that allows you to create a secure and reliable authentication system for your application. AWS services such as Cognito, S3, and

API Gateway provide the necessary infrastructure to store user data and secure AWS resources.

With this guide and the accompanying GitHub repository, you can quickly build an authentication system that is well-suited to your

Popular Posts