What is Amazon Cognito?
Amazon Cognito serves as a robust identity platform for web and mobile applications, functioning as a user directory, authentication server, and OAuth 2.0 authorization service for access tokens and AWS credentials.
It enables seamless authentication and authorization from built-in directories, enterprise systems, or consumer providers like Google and Facebook.
Cognito provides two powerful components:
- User Pools
- Identity Pools
Although they sound similar, they solve two completely different problems.
Cognito Identity Pools
Amazon Cognito Identity provides temporary AWS credentials to mobile or web applications. These credentials automatically expire and are restricted using IAM policies, allowing apps to securely access services such as AWS IoT Core, S3, and DynamoDB without exposing long-term secrets.
Identity Pools support:
- Authenticated users
- Unauthenticated (guest) users
In simple words:
Identity Pools answer the question — “What can you do in AWS?”
How to Create an Amazon Cognito Identity Pool (Federated Identity)
I have recorded a detailed step-by-step tutorial explaining how to create an Identity Pool in Amazon Cognito.
You can watch the full walkthrough here:
User Pools
Amazon Cognito User Pool is a managed user directory that handles authentication for your application.
It allows you to:
- Register (Sign Up) users
- Authenticate (Sign In) users
- Manage passwords
- Store user attributes (email, phone, etc.)
After successful authentication, a User Pool issues JWT tokens:
- ID Token (contains user identity information)
- Access Token (used to authorize API access)
- Refresh Token (used to obtain new tokens)
Supported Login Methods
- Username & Password
- Social providers (Google, Facebook, etc.)
- SAML / OIDC identity providers
In simple words:
User Pools answer the question — “Who are you?”
Key Differences
| Feature | User Pools | Identity Pools |
|---|---|---|
| Main Purpose | Authentication | Authorization |
| Output | JWT Tokens | Temporary AWS Credentials |
| Manages Users? | Yes | No |
| Grants AWS Access? | No | Yes |
How They Work Together (Temporary Credentials Flow)
This pattern is very common in mobile and IoT applications.
Step 1: User Logs In
User authenticates via User Pool and receives JWT tokens.
Step 2: Get Identity ID
The app sends the token to the Identity Pool (GetId API) and receives a Cognito Identity ID.
Step 3: Exchange for Temporary Credentials
The app calls GetCredentialsForIdentity to obtain temporary AWS credentials.
Step 4: Access AWS Services
The app uses those credentials to securely access services like:
- Amazon S3
- Amazon DynamoDB
- AWS IoT Core
All without embedding long-term AWS access keys in the application.
IoT Use Case Example
In IoT applications:
- A mobile app authenticates the user via User Pool.
- Identity Pool provides temporary AWS credentials.
- Those credentials are used to securely connect to AWS IoT Core over WebSocket (MQTT over WSS) using SigV4 authentication.
- AWS IoT policies control which devices (“Things”) the user can publish or subscribe to.
This allows secure, scalable, fine-grained device access control.
Final Summary
- User Pools = Authentication (Who are you?)
- Identity Pools = Authorization (What can you do?)
- Together, they provide secure and scalable access control for mobile, web, and IoT applications.
If you’re building IoT systems, mobile apps, or serverless architectures on AWS, understanding this difference is essential.
References:
Amazon Cognito Developer Guide – Official AWS Documentation
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
Leave a Reply
You must be logged in to post a comment.