Aws - Cognito
IAM (Identity Access Management) in Aws
User pool vs Identity Pool
Account management where:
- user pool is a user directory service to handle:
- user registration,
- and account recovery.
- identity pool (Federated Identities) is a way to authorize users to use AWS services (for example allowing a user to upload a file to an S3 bucket.)
Amazon Cognito provides two different mechanisms for authenticating users. You can use:
- Cognito User Pools to add sign-up and sign-in functionality to your application
- Cognito Identity Pools to authenticate users through:
- social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions,
- or by using your own identity system.
To reduce the operational overhead of creating and maintaining forms and custom logic for authentication, Cognito has a hosted-UI.
The permissions for each user are controlled through AWS IAM roles that you create.
Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated.
In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.