Tuesday, July 7, 2026

AWS Cognito Identity Pool vs User Pool

 This is one of the most frequently tested topics in the AWS AI Engineer Professional, AWS Developer, and Solutions Architect exams. Many people confuse Amazon Cognito User Pool and Identity Pool because both are part of Amazon Cognito, but they solve completely different problems.

The easiest way to remember them is:

User Pool answers "Who are you?"

Identity Pool answers "What AWS resources are you allowed to access?"


High-Level Comparison

FeatureAmazon Cognito User PoolAmazon Cognito Identity Pool
Primary PurposeUser AuthenticationAWS Resource Authorization
Authenticates Users✅ Yes❌ No
Issues JWT Tokens✅ Yes❌ No
Issues Temporary AWS Credentials❌ No✅ Yes
Integrates with IAM RolesIndirectlyDirectly
Used for Login✅ Yes❌ No
Used for S3 AccessUsually via backend✅ Yes
Supports Social Login✅ YesUses User Pool or external IdPs
Used by API Gateway JWT Authorizer✅ Yes❌ No

User Pool

Think of a User Pool as your application's authentication server.

It manages:

  • User accounts
  • Passwords
  • MFA
  • Email verification
  • Phone verification
  • Sign-up
  • Sign-in
  • Password reset
  • JWT token generation

Example:

Patient



Username + Password



Amazon Cognito User Pool



Authenticated



Returns

Access Token

ID Token

Refresh Token

The application now knows:

This is John Smith.


Tokens Generated

A User Pool generates:

  • Access Token
  • ID Token
  • Refresh Token

Example

Authorization:

Bearer eyJhbGc...

These JWTs are sent to:

  • API Gateway
  • Lambda
  • ECS
  • ALB Authentication

Identity Pool

Identity Pools do not authenticate users.

Instead,

they convert an authenticated identity into temporary AWS credentials.

Think

User



Already Logged In



Identity Pool



Temporary AWS Credentials



Access AWS Services

Instead of JWTs,

Identity Pool returns

AWS Access Key

AWS Secret Key

AWS Session Token

These are temporary credentials backed by an IAM Role.


Why do we need Identity Pool?

Imagine your mobile app wants to upload an X-ray image directly to Amazon S3.

Without Identity Pool

Mobile



API Gateway



Lambda



S3

Every upload goes through Lambda.

Not ideal.


With Identity Pool

Patient



Login



User Pool



JWT



Identity Pool



Temporary IAM Credentials



Upload Directly



Amazon S3

Now

the patient uploads directly to S3.

Much more scalable.


Healthcare Example

Patient wants to upload

MRI Scan

Size

500 MB

If the upload goes through Lambda

Patient



Lambda



S3

Problems

  • Lambda timeout
  • Higher cost
  • Extra network hop

Instead

Patient



Login



User Pool



Identity Pool



Temporary IAM Role



Amazon S3

Much better.


How They Work Together

This is the most common architecture.

Patient



User Pool

Authenticate



JWT



Identity Pool



IAM Role



Temporary AWS Credentials



Amazon S3

Notice

User Pool authenticates.

Identity Pool authorizes AWS access.


API Authentication Example

Suppose your Patient Portal calls

POST /appointments

Flow

Patient



User Pool



JWT



API Gateway



Lambda



Aurora

Identity Pool is not needed.


Direct S3 Upload Example

Patient uploads MRI

Flow

Patient



User Pool



Identity Pool



Temporary IAM Credentials



Amazon S3

Lambda is bypassed.


Identity Pool IAM Example

Patient Role

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::hospital-uploads/*"
}
]
}

Identity Pool assumes this IAM Role.


Real Enterprise Healthcare Example

Imagine your platform has two applications.

Patient Portal

Patient logs in

Views appointments

Books appointments

Calls REST APIs

Needs

✅ User Pool

No Identity Pool required.


Medical Image Upload

Patient uploads

MRI

CT Scan

X-Ray

Ultrasound

Needs

User Pool

Identity Pool

because the upload goes directly to S3.


Which One for Your Blog Architecture?

For your AI-powered Healthcare Assistant, the choice depends on the interaction:

FeatureUser PoolIdentity Pool
Patient Login
JWT Authentication
API Gateway Authorization
Call Lambda APIs
Upload Voice Recording to S3Optional✅ Recommended
Upload MRI/CT Images to S3
Access DynamoDB directly from client✅ (with caution)
Access IoT devices from client
Temporary AWS credentials

AWS AI Professional Exam Tip

When you see a question like:

"A mobile application authenticates users using Amazon Cognito and needs to upload files directly to Amazon S3 without exposing long-lived AWS credentials."

The correct design is:

  1. Authenticate the user with Amazon Cognito User Pool.
  2. Exchange the authenticated identity through a Cognito Identity Pool.
  3. Obtain temporary IAM credentials.
  4. Use those credentials to upload directly to Amazon S3.

A simple memory aid is:

  • User Pool = Identity verification (Who are you?)
  • Identity Pool = Temporary AWS permissions (What can you access?)

For your healthcare architecture, you should include User Pool because it is essential for authenticating patients, doctors, and staff. Add an Identity Pool only if your client applications need to access AWS resources such as Amazon S3 directly (for example, uploading medical images, voice recordings, or documents without routing them through your backend APIs). This distinction is both architecturally sound and commonly tested in AWS certification exams.

No comments:

Post a Comment