Amazon Cognito Identity Pools (CIP) Vs Cognito User Pools (CUP) - Overview.
Scope:
- Intro,
- Cognito User Pools (CUP)
- Cognito Identity Pools (CIP)
- Purpose,
- What they do,
- Key Capabilities,
- What they do NOT do,
- Architecture,
- Common Use Cases,
- How They Work Together (Most Common Pattern),
- When to Use What,
- Real-World Examples,
- Insights.
Intro:
- Amazon Cognito User Pools (CUP) and Identity Pools (CIP) are two main components of Amazon Cognito that address different aspects of user management.
- Amazon Cognito has two different—but complementary—services that are often confused:
- Cognito User Pools (CUP) → Who the user is
- Cognito Identity Pools (CIP) → What the user can access in AWS
Below is a clear, DevOps-friendly deep dive with architecture, use cases, and a decision guide.
1️⃣ Cognito User Pools (CUP)
Purpose
- User authentication & user management.
What it does
Manages users, passwords, MFA, sign-up/sign-in
Issues JWT tokens:
ID token
Access token
Refresh token
Acts as an OAuth 2.0 / OpenID Connect (OIDC) provider
Key Capabilities
Username/password auth
Social login (Google, Facebook, Apple)
Enterprise login (SAML, OIDC)
MFA (SMS, TOTP)
Password policies & account recovery
Hosted UI or custom UI
Lambda triggers (Pre-SignUp, Post-Auth, etc.)
❌ What it does NOT do
Does not provide AWS credentials
Cannot directly access S3, DynamoDB, etc.
Architecture
Common Use Cases
Web & mobile app authentication
SaaS user management
API authentication (via JWT)
Fine-grained app-level authorization
2️⃣ Cognito Identity Pools (CIP)
Purpose
Authorization to AWS services
What it does
Exchanges identity tokens for temporary AWS credentials
Uses IAM roles
Supports:
Authenticated users
Unauthenticated (guest) users
Key Capabilities
Generates temporary AWS credentials (STS)
Maps users → IAM roles
Supports multiple identity providers:
Cognito User Pools
Google, Facebook
SAML, OIDC
Custom providers
❌ What it does NOT do
Does not manage users
No passwords, MFA, or user lifecycle
Architecture
Common Use Cases
Access S3 directly from browser/mobile
Client-side access to DynamoDB, API Gateway
IoT device access
Guest access with limited permissions
3️⃣ How They Work Together (Most Common Pattern)
User Pools authenticate → Identity Pools authorize
NB: ✅ This is the recommended architecture for most apps.
4️⃣ Side-by-Side Comparison
| Feature | User Pools (CUP) | Identity Pools (CIP) |
|---|---|---|
| Purpose | Authentication | AWS Authorization |
| Manages users | ✅ Yes | ❌ No |
| Issues JWT tokens | ✅ Yes | ❌ No |
| Issues AWS credentials | ❌ No | ✅ Yes |
| MFA & password policies | ✅ Yes | ❌ No |
| IAM role mapping | ❌ No | ✅ Yes |
| Guest users | ❌ No | ✅ Yes |
| OAuth / OIDC | ✅ Yes | ❌ No |
5️⃣ When to Use What
✅ Use User Pools ONLY if:
twtech just need authentication
Backend handles AWS access
No direct client-side AWS calls
✅ Use Identity Pools ONLY if:
twtech already have another IdP
twtech just need AWS access
No user management needed
✅ Use Both (Most Real-World Apps) if:
twtech needs authentication AND
Clients need AWS resource access
6️⃣ Real-World Examples
Example 1: Web App with S3 Upload
User Pool → Login + MFA
Identity Pool → Temporary S3 access
Example 2: Mobile App (Guest + Auth Users)
Identity Pool → Guest role
User Pool → Login
Identity Pool → Auth role after login
Example 3: API Authorization Only
User Pool → JWT validation in API Gateway
7️⃣ Interview Final thought (AWS / DevOps)
- Cognito User Pools handle authentication and user management.
- Meanwhile Identity Pools provide authorization by issuing temporary AWS credentials through IAM roles.”
twtech-Insights
Cognito has two main pieces:
- User Pools →
Authentication (sign-up/sign-in, user directory, federation, MFA, password policies,
etc.)
- Identity Pools
→ Authorization (granting temporary AWS credentials for access to AWS services).
Here
we’ll focus on Identity Pools.
1. Purpose
- Provide federated identities and issue temporary AWS credentials (via STS) so users can access AWS services securely.
- Supports both authenticated users (via Cognito User Pools, SAML, OIDC, social IdPs) and unauthenticated/guest users.
2. How It Works
1.
Authentication Step
o A
user signs in with:
* Cognito
User Pools
* Federated IdP (Google, Facebook, Apple, SAML, OIDC)
* Or
remains unauthenticated (guest access)
2.
Token Exchange
o The
app obtains an IdP token (e.g., JWT from User Pool).
o This
token is exchanged with the Identity Pool
for a unique Cognito Identity ID.
3.
STS Credentials
o Cognito
Identity Pool maps the identity to an IAM
role (using role-based
mappings, rules, or default roles).
o STS
provides temporary AWS credentials
(Access Key, Secret Key, Session Token).
4.
Access AWS Resources
o The
application uses these short-lived credentials to directly access AWS services like S3, DynamoDB, AppSync,
or API Gateway.
3. Key
Features
🔑 Federation Support
- User Pools (custom auth)
- Social IdPs (Facebook, Google, Apple, Amazon)
- SAML 2.0 IdPs
- OIDC IdPs
- Guest (unauthenticated identities)
🛡 Security
- Temporary, scoped AWS credentials
- IAM role mapping per IdP/provider
- Role assumption via trust policies
- Fine-grained IAM permissions (e.g., “users can
only access
s3://myapp-bucket/${cognito-identity.amazonaws.com:sub}/*”)
Role Mapping
- Default Authenticated/Unauthenticated roles
- Rules-based role mapping (per provider, per token claim)
- Developer authenticated identities (custom token vending)
Use Cases
- Mobile apps needing direct AWS service access (upload to S3, query DynamoDB)
- Games with guest access + upgrade to full auth later
- IoT apps needing lightweight identity assignment
- B2C apps where users sign in via Google/Facebook but still need AWS resource access
4. Comparison:
User Pools vs Identity Pools
|
Feature |
Cognito User Pools (CUP) |
Cognito Identity Pools (CIP) |
||
|
Purpose |
Authentication (user
directory, login, MFA) |
Authorization (temporary AWS credentials) |
||
|
Credentials |
JWT tokens (ID,
Access, Refresh) |
STS temporary credentials (Access Key, Secret Key, Session
Token) |
||
|
Integrates With |
App clients, API Gateway, ALB (for securing APIs & apps) |
AWS services (S3,
DynamoDB, AppSync, Lambda, etc.) |
||
|
Supports Guest Users |
|
✅
(unauthenticated identities supported) |
||
|
Federation |
Social, SAML, OIDC |
Social, SAML, OIDC, User Pools, and Guest |
||
|
Custom Claims |
✅ |
Limited (via IAM policies) |
5. Best Practices
- Use both together: User Pools for auth, Identity Pools for AWS service access.
- Apply fine-grained
IAM policies with
${cognito-identity.amazonaws.com:sub}condition. - Enable role-based mapping to separate user groups (e.g., admins vs regular users).
- Rotate credentials often (they expire in ~1 hour).
- For sensitive workloads, route through API Gateway + Lambda instead of direct S3/DynamoDB access.
6. Architecture Flow (Identity Pool Flow)
User → Sign-in (IdP/User Pool) → Token → Identity Pool → STS → AWS Credentials → Access AWS Services.
- Security Token Service (STS) is a third-party web service that authenticates clients by validating credentials and issuing security tokens across different formats.
- Identity Provider (IdP) is a system that
manages and verifies user identities, essentially acting as a digital
gatekeeper for applications and services.
- Identity Provider (IdP) allows users to log in once and access multiple resources (Single Sign-On) without re-entering credentials.
- Identity Provide (IdPs) enhance security through features like:
- Multi-Factor Authentication (MFA) and
- adaptive authentication, to adjust security based on risk factors
No comments:
Post a Comment