Authentication and authorization are two important aspects of any cloud service. Authentication is necessary to verify the identity of a given user while authorization determines which resources a user must be given access.
A user directory is a location where information or data about users of an application or service is stored. User information may include names, email addresses, usernames, passwords and others. A secure user directory is a prerequisite of any reliable identity and access management (IAM) system.
Amazon Web Services (AWS) provides a secure user directory and identity provider IdP) referred to as Cognito User Pool. Cognito User Pools allow users to create accounts (sign up) and authenticate (sign-in) into an application. User Pools do not only provide storage and management of users who directly sign up with your application (referred to as direct users in this article) but also provide a way to manage externally authenticated users.
Externally authenticated users do not have direct accounts within the user pool of an application but rather get access (authenticate /sign in) via third party or external user directories of identity providers (IdPs) such as Facebook, Google, Amazon, Apple and other SAML compliant identity providers. This means that all the information of these users are stored outside of Cognito and can be updated only through the identity provider.
Direct users can update their information (password, name, etc) with Cognito User Pools since all their information is managed by the User Pool. Externally authenticated users on the hand must go through their identity providers to update their user information since Cognito User Pools only store immutable copies of information provided by the external identity provider.
Cognito User Pools also provide a pre-built customizable hosted web user interface to sign up direct users and to sign in both direct and external users (via third party IdPs). Direct users can also change password and complete multi factor authentications (MFA) through the user interface. Application developers can, of course, create their own user interfaces that implement the Cognito User Pool authentication workflows.
Cognito Identity Pools on the other hand deal with the creation of unique identities, referred to as federated identities, with limited and temporary AWS privileges to access AWS resources such as S3, DynamoDB, etc. Once a user signs in or is authenticated into your application through a Cognito User Pool, the application can exchange the User Pool token returned for a temporary AWS credentials via a Cognito Identity Pool in order to be able to access AWS backend services such as S3. An Identity Pool may also provide a limited set of credentials to unauthenticated users of your application if configured as such.
This diagram from the documentation of AWS Cognito summarizes how Cognito User and Identity Pools work together.
For an Identity Pool to be able to assign the right credentials to authenticated and unathenticated users of your application, you need to define corresponding roles with AWS IAM and attach these roles in your Identity pool console.
For a short summary of AWS IAM and the differences between an IAM user and role, refer to my other article titled: IAM on AWS: fundamental concepts for cloud architects and engineers
If you have any questions or comments, please add them below the article.