AWS Cognito: User Pools vs Identity Pools - Ultimate Guide for Developers

When building a web or mobile app, one of the first features we often need is user authentication — the ability for users to sign up, log in, and securely access the application. But let’s be honest — building your own authentication system from scratch is time-consuming and risky (security bugs are no joke).

That’s where AWS Cognito comes in. It helps you handle user authentication (sign up, log in, password reset, etc.) in a secure, scalable, and managed way — so you can focus more on your app’s features.

In this blog, we’ll explore AWS Cognito from scratch, in the simplest way possible.

Whether you’re new to authentication or AWS, this guide will walk you through everything you need to know — one step at a time.

What is AWS Cognito?

AWS Cognito is a service from Amazon Web Services (AWS) that manage authentication, authorization, and user management of your application. It enables developers to easily add user sign-up, sign-in, access control, and identity federation to web and mobile applications — with minimal backend effort.

At its core, Cognito provides secure user authentication using industry standards like OAuth 2.0, OpenID Connect (OIDC), and SAML, and handles everything from storing user profiles to issuing tokens for session management.

Instead of manually building login flows, password hashing, token generation, and session handling, Cognito abstracts all of that and offers a scalable, secure foundation that integrates directly with your app and AWS services.

In simple terms:

It lets your users sign up, log in, reset passwords, and access your app securely — without you having to build and maintain all the backend logic.

Cognito’s Core Components

👉 Cognito is divided into two main components:

1. User Pool: Answers the question “Who are you?” (handles authentication, sign-up, login, identity verification)
2. Identity Pool: Answers the question “What can you access?”(provides temporary AWS credentials so users can access AWS services like S3, DynamoDB, AppSync)

Together, these two components make it easy to manage users securely and also control what resources they can use inside AWS.

Let’s understand this in simple terms,

🎭 Imagine a Theme Park 🎢

When you go to a theme park, you need two things:

1. A Ticket to enter (proves who you are).
2. Tokens inside the park to play games or buy food.

AWS Cognito works the same way.

1. User Pool - “Who are you?” (Authentication)

A User Pool is a user directory in Amazon Cognito. It is used to manage and authenticate users directly (like email/username and password logins).

Let’s assume its The Ticket Counter at Theme Park🎟️

What it is: A User Pool is like the ticket counter at the entrance of the theme park. It handles sign-up and login for users.

What it does:

• Lets users sign up (create an account).
• Lets users log in (prove they are who they say).
• Stores their username, email, phone, and password safely.
• Can also connect with Google, Facebook, Apple login (like special passes).
• Gives you a ticket (JWT token) after successful login.

Example: You log in with your email + password → Cognito User Pool checks → if correct, it gives you a ticket saying “Yes, this is Abhay, he’s allowed inside.”

🧩 Key Features of User Pools:

1. User Directory (Managed Database)
   • Acts as a secure user store for credentials (username, email, phone).
   • Scales automatically — no need to build your own login system.
2. Authentication (Login/Signup)
   • Provides built-in flows for sign-up, sign-in, and password reset.
   • Handles authentication via email, phone number, or username.
3. Customizable Sign-in Options
   • Supports email, phone number, or username as identifiers.
   • Can also integrate with social logins (Google, Facebook, Apple) and enterprise logins (SAML, OIDC).
4. Multi-Factor Authentication (MFA)
   • Supports SMS, TOTP apps (Google Authenticator, Authy, etc.) for added security.
   • You can enforce MFA for all users or make it optional.
5. Password Policies & Security
   • Configurable rules: minimum length, uppercase, numbers, special characters.
   • Supports account lockout, CAPTCHA, and advanced threat protection.
6. Hosted UI for Authentication
   • Provides a ready-to-use login/signup UI hosted by AWS.
   • Can be customized with your branding, logo, and colors.
7. Tokens for Authentication
   • Issues JWT tokens after successful login:
     ID Token → User profile info
     Access Token → API access
     Refresh Token → Get new tokens without logging in again
     
8. User Management Features
   • Admin APIs to create, update, or disable users.
   • Allows email/phone verification, account recovery, and attribute updates.
9. Groups & Roles
   • Organize users into groups (e.g., Admin, Editor, Viewer).
   • Assign different permissions based on group membership.
10. Triggers with Lambda
    • Hooks into events (pre-signup, post-login, pre-token generation).
    • Example: Run a Lambda to auto-approve users from a certain domain.

2. dentity Pool — “What are you allowed to do?” (Authorization)

An Identity Pool enables you to grant temporary AWS credentials to users so they can access AWS services (like S3, DynamoDB, etc.) directly. It doesn’t authenticate users itself, but rather authorizes them after they’re authenticated (via User Pool, Facebook, Google, SAML, or even anonymous access).

What it is: An Identity Pool is like the booth inside the park that gives you tokens to play games or buy food.

What it does:

• Takes your ticket (from User Pool or Google/Facebook login).
• Exchanges it for temporary AWS credentials (like game tokens).
• With these tokens, you can use AWS services like S3 (storage), DynamoDB (database), or Lambda (functions).
• Can also connect with Google, Facebook, Apple login (like special passes).
• You don’t need to store permanent AWS keys on your app (safer!).

Example: You show your ticket from User Pool → Identity Pool says, “Okay, here are some tokens that let you play 5 games and buy popcorn 🍿.” In AWS terms → “Here are temporary credentials to access S3 bucket and DynamoDB.”

🧩 Key Features of Identity Pools:

1. Federated Identities (Social & Enterprise Logins)
   • Supports multiple identity providers (User Pools, Google, Facebook, Apple, SAML, OpenID Connect).
   • Even allows guest (unauthenticated) access without login.
2. Temporary AWS Credentials
   • Provides short-lived AWS access keys (via STS) instead of storing permanent keys in your app.
   • Credentials automatically expire, improving security.
3. Role-Based Access Control (RBAC)
   • Maps different users/groups to different IAM roles.
   • Example: An admin can upload to S3, while a normal user can only read.
4. Granular Permissions
   • You can fine-tune AWS service access (e.g., only access a specific S3 bucket or DynamoDB table).
   • Permissions are controlled with IAM policies.
5. Supports Both Authenticated & Guest Users
   • Authenticated: Logged in via User Pool or other identity providers.
   • Guest (unauthenticated): Temporary credentials for limited access (e.g., free tier features).
6. Secure AWS Access
   • Eliminates the need to hard-code AWS keys in frontend or mobile apps.
   • Uses secure token exchange with STS.
7. Cross-Platform Support
   • Works with Web, iOS, Android, and React Native SDKs.
   • Easy to integrate with front-end apps.
8. Token Exchange
   • Accepts JWT tokens (from User Pools or other IdPs) and exchanges them for AWS credentials.

🔍 Cognito User Pool vs Identity Pool - Comparison

AWS Cognito offers a powerful combo:

• 🔐 User Pools → manage authentication (who you are).
• 🗝️ Identity Pools → manage authorization (what you can do).

Together, they create a secure and seamless login-to-access flow 🎟️➡️⏳ for your apps. 🚀