6.4 Amazon Cognito and Identity Federation
Key Takeaways
- Cognito User Pools provide user sign-up, sign-in, and token management for web and mobile applications — it is a full-featured identity provider.
- Cognito Identity Pools provide temporary AWS credentials for accessing AWS services directly from client applications (mobile, browser).
- User Pools handle authentication (who are you?); Identity Pools handle authorization (what AWS resources can you access?).
- Cognito supports social identity providers (Google, Facebook, Apple), SAML 2.0, and OIDC for enterprise federation.
- Use User Pools + Identity Pools together: User Pool authenticates the user, Identity Pool grants temporary AWS credentials.
Amazon Cognito and Identity Federation
Quick Answer: User Pools = user directory for sign-up/sign-in (returns JWT tokens). Identity Pools = exchange tokens for temporary AWS credentials (access S3, DynamoDB from client apps). Use both together: User Pool authenticates → Identity Pool authorizes AWS access.
Cognito User Pools
A User Pool is a user directory for managing sign-up and sign-in for web and mobile apps.
| Feature | Description |
|---|---|
| Sign-up/Sign-in | Username/password, email, phone |
| Social login | Google, Facebook, Apple, Amazon |
| Enterprise | SAML 2.0, OIDC federation |
| MFA | SMS, TOTP (authenticator app) |
| Password policy | Configurable complexity requirements |
| Tokens | Returns ID token, Access token, Refresh token (JWT) |
| Triggers | Lambda triggers for custom logic (pre/post sign-up, pre/post auth) |
| Hosted UI | AWS-hosted login page (customizable) |
| Advanced security | Adaptive authentication, compromised credential detection |
Common Architecture: User Pool + API Gateway
- User signs in via Cognito User Pool → receives JWT token
- User sends JWT token with API requests
- API Gateway validates the token using Cognito authorizer
- If valid, request is forwarded to Lambda/backend
Cognito Identity Pools
An Identity Pool provides temporary AWS credentials to access AWS services directly.
| Feature | Description |
|---|---|
| Input | Tokens from User Pools, social providers, SAML, OIDC |
| Output | Temporary AWS credentials (access key, secret key, session token) |
| IAM roles | Define different roles for authenticated vs. guest users |
| Fine-grained access | Use identity-based policies (e.g., user can only access their own S3 folder) |
| Guest access | Optional unauthenticated access with limited permissions |
Common Architecture: User Pool + Identity Pool + S3
- User signs in via Cognito User Pool → receives JWT token
- Identity Pool exchanges JWT token for temporary AWS credentials
- Client uses credentials to upload files directly to S3
- IAM policy restricts access to user's own S3 prefix (
/users/{cognito-identity-id}/*)
User Pools vs. Identity Pools
| Feature | User Pool | Identity Pool |
|---|---|---|
| Purpose | Authentication (who are you?) | Authorization (what can you access?) |
| Output | JWT tokens | AWS credentials (STS) |
| Use case | Sign-in pages, user management | Direct AWS service access from clients |
| Without the other? | Yes (API Gateway auth) | Yes (with social/SAML tokens) |
| Together | User Pool authenticates → Identity Pool grants AWS access |
Identity Federation Options
| Method | Use Case |
|---|---|
| Cognito User Pools | Web/mobile apps with user sign-up/sign-in |
| Cognito Identity Pools | Temporary AWS credentials for client apps |
| SAML 2.0 Federation | Enterprise SSO with Active Directory |
| Web Identity Federation | Social login (Google, Facebook) → AWS access |
| IAM Identity Center (SSO) | Centralized SSO for multiple AWS accounts |
On the Exam: "Mobile app needs to upload photos directly to S3" → Cognito User Pool (auth) + Identity Pool (temp AWS creds) + S3 IAM policy. "Enterprise users need SSO to AWS Console" → IAM Identity Center with SAML.
A mobile application needs users to sign in and then upload photos directly to their own S3 folder. Which Cognito components are needed?
What does a Cognito User Pool return upon successful authentication?