HAQM Cognito launches support for in-Region integration with HAQM SES and HAQM SNS

We are pleased to announce that in all AWS Regions that support HAQM Cognito, you can now integrate HAQM Cognito with HAQM Simple Email Service (HAQM SES) and HAQM Simple Notification Service (HAQM SNS) in the same Region. By integrating these services in the same Region, you can more easily achieve lower latency, and remove cross-Region dependencies in your architecture. HAQM Cognito lets you add authentication, authorization, and user management to your web and mobile apps. HAQM Cognito scales to millions of users and supports sign-in with social identity providers such as Apple, Facebook, Google, and HAQM, and enterprise identity providers that support SAML 2.0 and OpenID Connect (OIDC).

HAQM Cognito launched new console experience in 2021 that makes it even easier for you to manage HAQM Cognito user pools and add sign-in and sign-up functionality to your applications. The new console has now been further enhanced to configure the in-Region HAQM SES options as shown in Figure 1, and HAQM SNS options as shown in Figure 2. Also you can configure the same via HAQM Cognito APIs. Thus you can update your in-Region HAQM SES, HAQM SNS configuration options through the console, API, or CLI. You can use HAQM Cognito in a Region that suits your business requirements and sustainability goals, and extend your HAQM Cognito architecture to additional Regions.

Figure 1: HAQM SES Region drop-down selection with new options

Figure 2: HAQM SNS Region selection drop-down selection with new options

In-Region integration with HAQM SES and HAQM SNS is currently available in all Regions where HAQM SES, HAQM SNS and HAQM Cognito are available. For up to date information, see the AWS Regional Services List. To learn more, see What is HAQM Cognito?.

Frequently asked questions (FAQs)

What Region will HAQM Cognito console default to when I configure HAQM SES and HAQM SNS Regions?

When creating new user pools, the HAQM Cognito console auto-populates the Region to in-Region, but you still have to select the identity. Existing user pools with cross-Region HAQM SES or HAQM SNS integration will not be affected.

Can I update an existing user pool to integrate with HAQM SES or HAQM SNS in the same Region?

Yes, you can change your configuration so that HAQM Cognito integrates with either HAQM SES or HAQM SNS, or both, in the same Region.

What Regions can I use with HAQM Cognito for HAQM SNS and HAQM SES?

For most up-to date mapping of Regions to use, see the table in SMS message settings for HAQM Cognito user pools.

Why should I change from cross-Region to same-Region HAQM SES or HAQM SNS?

HAQM Cognito is designed to scale to millions of users. Your users expect prompt delivery of their messages for multi-factor authentication and account setup. Using HAQM SES and HAQM SNS in the same Region as your user pool improves performance by reducing the round-trip time of the call that HAQM Cognito makes to HAQM SES or HAQM SNS.

What are the key benefits of using in-Region integration?

Availability: Availability is improved as you no longer will have cross-Region dependency for HAQM SES or HAQM SNS.

Latency: Transit time for API requests is most efficient within a single AWS Region.

Usability: Billing, logging, and setup are more transparent when you consolidate resources in the same Region.

Which version of HAQM Cognito user pools console does this change apply to?

This change applies to current version of the new HAQM Cognito user pool console experience. Also this change applies to current version of HAQM Cognito APIs.

Will my current cross-Region integration change?

No. Your AWS resources are your own and will not be changed. If you want to make use of the new in-Region integration, you must update your user pool configuration to integrate with HAQM SES or HAQM SNS in the same AWS Region.

Will I be placed in the SMS sandbox if I change my HAQM SNS Region?

The SMS sandbox status is Region dependent, so whether or not your user pool is in the SMS sandbox depends on the SNS Region you configure in your user pool. When your account is in the SMS sandbox, HAQM Cognito can send SMS text messages only to verified phone numbers and not to all of your users. When you move to a new Region, verified phone numbers will also need to be re-verified. For more information, see SMS message settings for HAQM Cognito user pools.

To find info about whether your user pool is configured in an SNS Region that is in the SMS sandbox, you can view the SmsConfigurationFailure field in DescribeUserPool API.

Which API parameters can developers use to make the in-Region changes?

HAQM SES: verified HAQM SES identities from the new Regions will be allowed through SourceArn parameters in the AWS::Cognito::UserPool EmailConfiguration type, and in the AWS::Cognito:: RiskConfiguration NotifyConfiguration type.

HAQM SNS: There is now a new parameter called SnsRegion in the SmsConfiguration type in the following APIs:

Will my automation scripts break due to this change?

This change to support in-Region integration will not break your automation scripts. If future updates include changing the default Region value to in-Region, we plan to inform all HAQM Cognito customers about this change with sufficient time to transition to the new default Region value.

Can I revert to my original Region integration if I run into an issue?

Yes, the ability to use HAQM SES or HAQM SNS resources in a different AWS Region is still supported.

Next steps

If your HAQM Cognito user pool is currently configured to make cross-Region calls to HAQM SES or HAQM SNS, you can update your configuration through the console, API, or CLI.

If you have any questions or issues, you can start a new thread on AWS re:Post, contact AWS Support, or your technical account manager (TAM).

Want more AWS Security news? Follow us on Twitter.

AWS Security Blog