Aws - Cognito


IAM (Identity Access Management) in Aws


User pool vs Identity Pool

Account management where:

  • user pool is a user directory service to handle:
    • user registration,
    • authentication,
    • and account recovery.
  • identity pool (Federated Identities) is a way to authorize users to use AWS services (for example allowing a user to upload a file to an S3 bucket.)

Authentication providers

Amazon Cognito provides two different mechanisms for authenticating users. You can use:


To reduce the operational overhead of creating and maintaining forms and custom logic for authentication, Cognito has a hosted-UI.

Cognito - UI


The permissions for each user are controlled through AWS IAM roles that you create.

Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated.

In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.

Authentication Steps


Create a user pool and add an app

See Web App Users management


Documentation / Reference

Task Runner