3

I am working on an application in which I am using AWS Cognito to store users data. I am working on understanding how to manage the back-up and disaster recovery scenarios for Cognito!

Following are the main queries I have:

  1. I wanted to know what is the availability of this stored user data?
  2. What are the possible scenarios with Cognito, which I need to take care before we go in production?
Rakesh Pacharne
  • 81
  • 2
  • 10

3 Answers3

3

  1. AWS does not have any published SLA for AWS Cognito. So, there is no official guarantee for your data stored in Cognito. As to how secure your data is, AWS Cognito uses other AWS services (for example, Dynamodb, I think). Data in these services are replicated across Availability Zones.

  2. I guess you are asking for Disaster Recovery scenarios. There is not much you can do on your end. If you use Userpools, there is no feature to export user data, as of now. Although you can do so by writing a custom script, a built-in backup feature would be much more efficient & reliable. If you use Federated Identities, there is no way to export & re-use Identities. If you use Datasets provided by Cognito Sync, you can use Cognito Streams to capture dataset changes. Not exactly a stellar way to backup your data.

In short, there is no official word on availability, no official backup or DR feature. I have heard that there are feature requests for the same but who knows when they would be released. And there is not much you can do by writing custom code or follow any best practices. The only thing I can think of is that periodically backup your Userpool's user data by writing a custom script using AdminGetUser API. But again, there are rate limits on how many times you can call this API. So, backup using this method can take a long time.

agent420
  • 3,291
  • 20
  • 27
  • There are some third party solutions like https://github.com/rahulpsd18/cognito-backup-restore, However with these kind of solutions you have to secure the file it generate as it contains your customer data. – Upul Doluweera Sep 29 '19 at 23:40
1

AWS now offers a SLA for Cognito. In the event they are unable to meet their availability target (99.9% at the time of writing), you will receive service credits.

Mr. S
  • 1,469
  • 2
  • 15
  • 27
0

Even through there are couple of third party solutions available, when restoring a user pool users will be created using admin flow (users are not restored rather they will be created from an admin) and they will end up with "Force Change Password" status. So the users will be forced to change the password using the temporary password and that has to be facilitated from the front end of the application.

More info : https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/signing-up-users-in-your-app.html

Tools available.

  1. https://www.npmjs.com/package/cognito-backup
  2. https://github.com/mifi/cognito-backup
  3. https://github.com/rahulpsd18/cognito-backup-restore
  4. https://github.com/serverless-projects/cognito-tool

Pls bear in mind that some of these tools are outdated and can not be used. I have tested "cognito-backup-restore" and it is working as expected.

Also you have to think of how to secure the user information outputted by these tools. Usually they create a json file containing all the user information (except the passwords as passwords can not be backed up) and this file is not encrypted.

The best solution so far is to prevent accidental deletion of user pools with AWS SCPs.

Upul Doluweera
  • 2,146
  • 1
  • 23
  • 28