User Pools

• Sign-up and sign-in services.
• A built-in, customizable web UI to sign in users.
• Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.
• User directory management and user profiles.
• Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
• Customized workflows and user migration through AWS Lambda triggers.

After successfully authenticating a user, Amazon Cognito issues JSON web tokens (JWT) that you can use to

• secure and authorize access to your own APIs, or
• exchange for AWS credentials.

Identity Pools

• Identity pools provide AWS credentials to grant your users access to other AWS services.
• To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials.

External Provider Authflow

Enhanced (Simplified flow)

Identity Pool set up

• When you create an Identity pool, AWS Cognition automatically creates two IAM roles, one for authenticated users and another for unauthenticated users (if you enabled access to unauthenticated users at the time of creation of identity pool). These roles provide full access to Cognito Identity, Cognito Sync and Mobile Analytics services. (Unauthenticated role does not have access to Cognito Identity). Additional polices can be attached to these roles for access to other AWS services.