AI Data Access
AWS Cognito Integration
Data Provider
AWS Cognito + Data Provider: Enterprise Data Sharing on AWS
AWS-native enterprises trust Cognito for user management but need more for data sharing. Cognito User Pools handle authentication; Fiskil Data Provider adds FAPI 2.0 security, consent management, and regulatory compliance—all deployable on your existing AWS infrastructure with API Gateway integration.
Cognito Authenticates Users, Not Data Sharing Compliance
AWS-native enterprises need to share data with third parties on their existing infrastructure, but Cognito doesn't handle FAPI compliance, consent management, or regulatory audit requirements.
- —
Cognito lacks FAPI 2.0 security profile support including mTLS and signed request objects
- —
No built-in consent management for third-party data sharing beyond standard OAuth scopes
- —
API Gateway custom authorizers don't enforce consent scopes or purpose limitation
- —
CloudWatch logging doesn't meet data sharing audit requirements for regulatory compliance
- —
Building FAPI compliance on AWS requires significant custom development across multiple services
Cognito Authentication + Fiskil Data Sharing on AWS
Cognito handles user authentication and user pool management. Fiskil adds FAPI 2.0 data sharing through API Gateway integration. All components deploy on your existing AWS infrastructure, keeping data within your VPC.
Capabilities
Key Capabilities
Cognito Authorizer Integration
A custom Lambda authorizer that validates Cognito tokens and enriches them with Fiskil consent information. API Gateway routes are protected by both Cognito authentication and Fiskil consent verification in a single authorization step.
API Gateway FAPI Proxy
An API Gateway layer that adds FAPI 2.0 security to your data endpoints. Incoming requests pass through mTLS verification, request object validation, and DPoP token binding before reaching your data APIs—all managed by Fiskil.
AWS-Native Deployment
Deploy Fiskil components using CloudFormation or CDK templates. All infrastructure runs within your AWS account and VPC. Consent records stored in DynamoDB, audit logs in S3, and real-time events through EventBridge.
CloudWatch Audit Integration
Fiskil data sharing events stream to CloudWatch alongside your existing application logs. Custom CloudWatch dashboards provide unified visibility across authentication, consent, and data access events.
Implementation
Implementation Guide
Deploying Fiskil Data Provider alongside Cognito on AWS typically takes 2–3 weeks using the provided CloudFormation templates.
Configure Cognito User Pool
Set up your Cognito User Pool with the required app clients, resource servers, and custom scopes. Configure the hosted UI for user-facing consent flows and set up user pool triggers for consent event notifications.
Deploy Fiskil on AWS
Use the provided CloudFormation template to deploy Fiskil components within your VPC. This creates the DynamoDB tables for consent storage, S3 buckets for audit logs, Lambda functions for authorization, and the API Gateway FAPI proxy layer.
Set Up API Gateway with FAPI Proxy
Configure API Gateway with the Fiskil FAPI proxy. Set up mTLS on the custom domain, configure the Lambda authorizer, and map your data API routes through the FAPI-compliant proxy layer.
Enable Partner Registration
Open the partner registration portal. Configure Cognito app client provisioning for partners, set up sandbox API Gateway stages for testing, and define the production promotion workflow.
Features
Key Features
Lambda Authorizer Hooks
Pre-built Lambda authorizers that combine Cognito token validation with Fiskil consent verification. Drop-in replacement for standard Cognito authorizers with zero code changes to your existing APIs.
Cognito User Pool Sync
Automatic synchronization between Cognito user attributes and Fiskil data subjects. When user profiles update in Cognito, consent records and data mappings update accordingly.
API Gateway Rate Limiting
Consent-aware rate limiting at the API Gateway level. Different rate limits apply based on consent tier, partner classification, and data sensitivity—enforced before requests reach your backend.
S3 Audit Log Storage
Tamper-proof audit logs stored in S3 with server-side encryption, versioning, and object lock. Meets regulatory requirements for audit trail immutability and long-term retention.
DynamoDB Consent Store
High-performance consent record storage in DynamoDB with point-in-time recovery. Consent lookups complete in single-digit milliseconds, ensuring no latency impact on data access flows.
CloudFormation Templates
Infrastructure-as-code templates for the complete Fiskil deployment. One-click deployment, version-controlled infrastructure, and repeatable across AWS accounts and regions.
"Partnering with Fiskil on our open data needs has been a game-changer for us in delivering and maintaining our data holder solution."
Fahad Liaqat at Pacific Blue
Executive Manager Operations and New Markets
FAQs
Fiskil deploys within your own AWS account, so it's available in any AWS region where the required services (API Gateway, Lambda, DynamoDB, S3) are available. This covers all major commercial regions. For GovCloud regions, contact us for specific deployment guidance.
The core data sharing capabilities are identical. The difference is in deployment architecture: Cognito integration uses AWS-native services (Lambda authorizers, DynamoDB, S3) while Auth0 integration uses Auth0 Actions and Fiskil's cloud infrastructure. Choose based on your existing identity provider.
Fiskil uses serverless AWS services (Lambda, DynamoDB on-demand, S3) so you pay only for actual usage. For high-volume deployments, switching DynamoDB to provisioned capacity and using S3 lifecycle policies for audit logs can reduce costs by 30–40%.
The Fiskil Lambda authorizer uses provisioned concurrency to eliminate cold starts for the authorization path. Data access latency adds approximately 15–25ms for consent verification on top of your existing API response time.
Both are supported. Fiskil provides CloudFormation templates for standard deployments and CDK constructs for teams using the AWS CDK. The CDK constructs offer more customization options and integrate with your existing CDK stacks.
Use Cognito User Pools. User Pools handle user authentication and token issuance, which is what Fiskil integrates with. Identity Pools (Federated Identities) are for granting temporary AWS credentials and aren't relevant to the data sharing use case.
Explore More Use Cases
AI Data Access
Auth0 Integration
Combine Auth0 identity management with Fiskil Data Provider for enterprise-grade AI data sharing. FAPI 2.0 security, consent management, and audit trails on top of your existing Auth0 infrastructure.
Third-Party Applications
Partner Onboarding
Self-service partner onboarding with automated credential verification, sandbox provisioning, and compliance checks. Reduce onboarding time from weeks to hours with Fiskil Data Provider.
Third-Party Applications
FAPI 2.0 Security
Pre-certified FAPI 2.0 security infrastructure for enterprise data sharing. mTLS, signed request objects, DPoP token binding, and Pushed Authorization Requests built in—no custom implementation required.
Get started today
Talk to us about what you're building and we'll show you how we can help.
