To provide login functionality with branded sign-in pages and minimal custom code, the best solution is Amazon Cognito Hosted UI. Cognito User Pools include a managed authentication service that can handle sign-up/sign-in, MFA options, password resets, and OAuth/OpenID Connect flows. The Hosted UI provides ready-to-use authentication pages and endpoints, which removes the need to build and maintain custom authentication pages and backend logic.
AWS allows customization of the Hosted UI to match company branding (for example, logo, colors, and CSS styling). This directly meets the requirement that “all pages must match branding” while minimizing development effort. The application can integrate with Cognito using standard authorization flows and tokens, which works well with Lambda-based architectures (for example, API Gateway authorizers with Cognito user pools).
Option A (S3 static pages) would still require implementing authentication flows, session handling, token management, and secure integration with the backend—significantly more custom code.
Option B requires writing and maintaining custom sign-in page serving logic plus authentication handlers, which increases code and operational overhead.
Option C (Lambda@Edge) is even more complex, introducing edge execution and additional deployment/versioning considerations, and still requires custom auth logic.
Therefore, using Amazon Cognito User Pools with the Hosted UI and branding customization is the lowest-code, most maintainable solution.
