Nomad_Soul - Fotolia
Most AWS users are somewhat familiar with Amazon Cognito, the cloud provider's user authentication and access control service for web and mobile apps. This service addresses many user management concerns, but not without a learning curve for enterprises.
The main reason for users' knowledge lag is that Amazon Cognito is split into two components, or features -- user pools and identity pools. These features appear similar because they both address user authentication and authorization, but they are very different in their approach. User pools and identity pools can be used separately or together for added flexibility, which can make understanding the two even more confusing.
Amazon Cognito user pools vs. identity pools
While identity pools and user pools are related services, it's important to know the difference between the two before you create either one in Amazon Cognito.
User pools are primarily intended for authentication. This feature provides a user directory to manage profiles and verify identities for your application. This Amazon Cognito feature also provides the information your code requires to complete an authorization, such as user IDs and group memberships.
User pools enable your users to sign in either through a third-party identity provider (IdP) or through the user pool itself. This is helpful when you need to access and manage user data, create sign-up and sign-in webpages or establish a custom authentication flow for your app.
On the other hand, identity pools are primarily used for authorization. This second Cognito feature, also known as federated identities, has two common use cases -- to provide access to different AWS resources and to create temporary credentials for unauthenticated users. IT pros can use identity pools to assign identity and access management (IAM) roles to their users, who receive their own set of IAM permissions and authenticate through an IdP.
Identity pools link users from an IdP to an IAM role, enabling enterprises to assign authorization for resources to AWS. This is an important distinction between Cognito user pools and identity pools.
User pools alone do not deal with any IAM-level permissions but provide critical information so the enterprise can authorize the users. On the other hand, identity pools permit users at the IAM level, enabling enterprises to assign a more detailed, role-based set of permissions for interacting with its AWS-hosted workloads.
How user pools and identity pools work together
Now, with some understanding of what user pools and identity pools bring to the table separately, it's time to explore some ways to use these two Cognito features together.
As mentioned above, identity pools can map users from an IdP to an IAM role, but they are not their own user directories. IT pros typically use a third-party IdP for this function. However, a Cognito user pool is its own IdP. If an identity pool is configured correctly, it can use the app's user pools as an IdP. This way, users authenticate via user pools and are assigned IAM roles via identity pools.
When it comes to an enterprise's Cognito architecture, there are a few things your IT team should keep in mind to ensure that it chooses the right approach for its needs.
Decide whether you want to manage app security at the IAM level. For example, if there are critical AWS resources that require access to be limited to specific IAM-based permission, you should use identity pools.
You'll also have to determine whether your application needs to be integrated with a third-party IdP. This decision will often depend on the size of the application. A small internal application won't need third-party integration. But with a publicly accessible app, there are more factors to consider, such as whether it's consumer-facing or promotes self-registration.
Weigh the importance of complexity and security for your application. The more users, the more complex the development, so choosing a user pool is the easiest option. But if confidential information needs to be accessed by multiple users, you'll want full control over access management -- at the application level and IAM level -- so both user pools and identity pools are required for the best result.