Cognito User Pools Vs Identity Pools Flashcards
Cognito User Pools
Used for authentication
Provides sign up/sign In functionality
Verify identity by username/password or federated login using identity providers such as Amazon, Facebook, Google or SAML AUTHENTICATION such as Microsoft Active Directory
Cognito Identity Pools
Used for authorization
Grants temporary AWS credentials to access other AWS services
The actual mechanism authorizing access to AWS services
You can define rules for mapping users to different IAM roles to provide fine grained permissions
User pools vs identity pools
Amazon Cognito offers two types of pools for your business applications - user pools and identity pools. The main difference between the two is that user pools are used for authentication (identify verification) while identity pools are for authorization (access control). For authentication, Amazon Cognito uses multiple identity management standards including OpenID Connect, 0Auth 2.0, and SAML 2.0.
User pools (cont)
With a user pool, your users can sign in through the user pool or federate through a third-party identity provider.
It essentially acts as a directory. Use cases include:
• Be able to add sign-up and sign-in features for your app.
• Be able to access and manage user data.
• Be able to track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
• Be able to use a custom authentication flow for your app.
• Be able to access resources with Amazon API Gateway and AWS Lambda.
Identity pools (cont)
Identity pools provide tokens that can be exchanged for temporary Aws credentials in AWS STS after successful authorization. The permissions for each user’s credentials are controlled through IAM roles that yo create. You can use identity pools to create unique identities for users and give them access to your AW services. Use cases include:
• Giving your users access to AWS resources, such as an Amazon S3 bucket or an Amazon DynamoDI table.
• Generating temporary AWS credentials for unauthenticated users.
User pools + identity pools
There is no rule stating that you cannot use these two services together. An example of a use case is when you want to manage your users in Amazon Cognito and you would like to provide them temporary access to your AWS services. After a successful user pool authentication, the user’s app will receive user pool tokens from Amazon Cognito. The user can then exchange them for temporary access to AWS services with an identity pool.
AWS AppSync (Newer service than Cognito Sync)
AWS AppSync is a service that lets you manage and synchronize mobile app data in real time across different devices and users, but still allows the data to be accessed and altered when the mobile device is offline. To tighten security around using AWS AppSync, you can grant your users access to AppSync resources with tokens from a successful Amazon Cognito authentication.
Scenario: Accessing Resources with Amazon API Gateway and AWS Lambda After Sign-in
You should make sure users accessing your API through Amazon API Gateway are authorized to do so. You can configure API Gateway to validate the tokens from a successful user pool authentication in Amazon Cognito, and use them to grant your users access to resources including Lambda functions, or your own API.
Token verification is usually performed by an Amazon Cognito authorizer Lambda function.
