I notice that the Cognito tokens can be used to consume other AWS services after the user logout. Moreover, even I revoke the token calling the AdminUserGlobalSignOut API, I am still seeing the response as if the token is valid.

Actually users can sign out from all devices where they are currently signed in when you revoke all of the user’s tokens by using the GlobalSignOut and AdminUserGlobalSignOut APIs. After the user has been signed out:

• The user’s refresh token cannot be used to get new tokens for the user.
• The user’s access token cannot be used against the user pools service.
• The user must reauthenticate to get new tokens.

Also when you invoked the logout endpoint to sign the user out, it clears out the user existing session and redirects to the sign-out URL that you registered for your client app.

Please note that after the user has been signed out, refresh token cannot be used to get new tokens for the user and access token cannot be used against the user pools service. However the current access and ID tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued. So when you observe the access and ID tokens keep valid after user log out and this should be an expected behaviour.