Image by kropekk_pl from Pixabay

What Is Amazon Cognito User Pool and How Does It Differ From a Cognito Identity Pool

Mariano Calandra
Jan 2 · 4 min read

Amazon Cognito is an AWS service that lets you easily add users’ management to web and mobile apps. It supports social identity providers, such as Facebook, Google and enterprise identity providers via SAML 2.0.

A powerful service.
At first, hard to understand.

One of the things that generate the biggest confusion is the fact that Amazon Cognito comes with two main components:

  • Amazon Cognito User Pools
  • Amazon Cognito Identity Pools (aka Federated Identities)

This is the first blocker because, in the common language, users and identities are almost the same things.
In this brief story, we will try to clarify real differences and what scenarios can be solved using one of these components or combining the two.

Cognito User Pool

According to the AWS official documentation:

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito […]

This means an anonymous user of our application (e.g. a mobile or a Single Page Application) can fill a registration form and then become a registered user. The chosen credentials (i.e. username and password) will be safely stored into Cognito User Pool.

In this case, Amazon Cognito acts as an Identity Provider (IdP).

When this registered user wants to log in, the User Pool will be used as the source of truth to assess the authenticity of provided credentials; if valid, a JSON Web Token (JWT) will be returned (click here, if you want to know more about JWT).

Fig. 1 – During a user’s login, Cognito User Pool will handle the credential’s verification process, if valid, a JWT will be issued. This token could be eventually used to invoke protected APIs.

Eventually, if we have a protected API (e.g. GET /orders/42) this token can be used to authenticate requests (fig.2) through the Authorization header.

If this API has been created using Amazon API Gateway, there’s the opportunity to easily protect it through the Cognito User Pool. In this scenario, API Gateway will ask Amazon Cognito User Pool to validate that token; if successful the backend Lambda function will be invoked.

📚 Further reading: How to protect APIs using Cognito User Pool

Fig.2 – API Gateway can be integrated natively with Cognito User Pool to validate the provided JWT.

Easy like Sunday morning.
But what if our application needs to interact directly with DynamoDB (fig.3)?

Cognito Identity Pool

Usually, REST APIs are protected through the use of a token – e.g. a JSON Web Token (JWT) – and that’s why Amazon API Gateway with the help of Cognito User Pool supports this scenario natively.

Fig.3 – Sometimes your client application may want to access directly to an AWS service (e.g. DynamoDB) without the API Gateway as a proxy. Will the JWT still be useful?

Alas, the vast majority of AWS resources, doesn’t support a JWT as a means of authentication! For instance, if our application would read the order item 42 directly from DynamoDB, we need an IAM Role that has the permission to read data from the Orders table.

And here it comes Cognito Identity Pool:

Identity pools provide AWS credentials to grant your users access to other AWS services.

Here, “your users” are the users registered into our Cognito User Pool*.

To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials.

To enable these users to access directly to DynamoDB and read the given order, we can’t use JWT straight; but we have to use Cognito Identity Pool to trade JWT with an access key and secret key (fig.4).

Fig. 4

Each couple of keys has an IAM role associated with the right set of permission.

Here, thanks to the Identity Pool, Amazon Cognito acts as an Identity Broker.

(*) Some caveats

In a simple scenario everything can be summarised in a general rule:

If our application needs to access an API Gateway endpoint then, Cognito User Pool is sufficient.

If our application needs to talk directly with an AWS service (DynamoDB, S3, …) we need Amazon Cognito Identity Pool too.

Unlikely, things are not necessarily black or white and real life has many nuances. For instance, our application could have users registered on a third-party Identity Provider and, in this case, we would use Cognito Identity Pool but not Cognito User Pool (more info in the Further reading section).


Even the most mundane things, if not well understood, will seem difficult. Amazon Cognito is no exception. I hope this story helps those who did not have a very clear understanding of the topic.

If you liked this post, please support my work!

Further reading

The Startup

Get smarter at building your thing. Join The Startup’s +789K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Mariano Calandra

Written by

Mariano daily helps companies succeed using cloud and microservices. • AWS Authorized Instructor • AWS Community Builder •

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +789K followers.

Mariano Calandra

Written by

Mariano daily helps companies succeed using cloud and microservices. • AWS Authorized Instructor • AWS Community Builder •

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +789K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store