This is one of the most frequently tested topics in the AWS AI Engineer Professional, AWS Developer, and Solutions Architect exams. Many people confuse Amazon Cognito User Pool and Identity Pool because both are part of Amazon Cognito, but they solve completely different problems.
The easiest way to remember them is:
User Pool answers "Who are you?"
Identity Pool answers "What AWS resources are you allowed to access?"
High-Level Comparison
| Feature | Amazon Cognito User Pool | Amazon Cognito Identity Pool |
|---|---|---|
| Primary Purpose | User Authentication | AWS Resource Authorization |
| Authenticates Users | ✅ Yes | ❌ No |
| Issues JWT Tokens | ✅ Yes | ❌ No |
| Issues Temporary AWS Credentials | ❌ No | ✅ Yes |
| Integrates with IAM Roles | Indirectly | Directly |
| Used for Login | ✅ Yes | ❌ No |
| Used for S3 Access | Usually via backend | ✅ Yes |
| Supports Social Login | ✅ Yes | Uses User Pool or external IdPs |
| Used by API Gateway JWT Authorizer | ✅ Yes | ❌ No |
User Pool
Think of a User Pool as your application's authentication server.
It manages:
- User accounts
- Passwords
- MFA
- Email verification
- Phone verification
- Sign-up
- Sign-in
- Password reset
- JWT token generation
Example:
Patient
↓
Username + Password
↓
Amazon Cognito User Pool
↓
Authenticated
↓
Returns
Access Token
ID Token
Refresh Token
The application now knows:
This is John Smith.
Tokens Generated
A User Pool generates:
- Access Token
- ID Token
- Refresh Token
Example
Authorization:
Bearer eyJhbGc...
These JWTs are sent to:
- API Gateway
- Lambda
- ECS
- ALB Authentication
Identity Pool
Identity Pools do not authenticate users.
Instead,
they convert an authenticated identity into temporary AWS credentials.
Think
User
↓
Already Logged In
↓
Identity Pool
↓
Temporary AWS Credentials
↓
Access AWS Services
Instead of JWTs,
Identity Pool returns
AWS Access Key
AWS Secret Key
AWS Session Token
These are temporary credentials backed by an IAM Role.
Why do we need Identity Pool?
Imagine your mobile app wants to upload an X-ray image directly to Amazon S3.
Without Identity Pool
Mobile
↓
API Gateway
↓
Lambda
↓
S3
Every upload goes through Lambda.
Not ideal.
With Identity Pool
Patient
↓
Login
↓
User Pool
↓
JWT
↓
Identity Pool
↓
Temporary IAM Credentials
↓
Upload Directly
↓
Amazon S3
Now
the patient uploads directly to S3.
Much more scalable.
Healthcare Example
Patient wants to upload
MRI Scan
Size
500 MB
If the upload goes through Lambda
Patient
↓
Lambda
↓
S3
Problems
- Lambda timeout
- Higher cost
- Extra network hop
Instead
Patient
↓
Login
↓
User Pool
↓
Identity Pool
↓
Temporary IAM Role
↓
Amazon S3
Much better.
How They Work Together
This is the most common architecture.
Patient
↓
User Pool
Authenticate
↓
JWT
↓
Identity Pool
↓
IAM Role
↓
Temporary AWS Credentials
↓
Amazon S3
Notice
User Pool authenticates.
Identity Pool authorizes AWS access.
API Authentication Example
Suppose your Patient Portal calls
POST /appointments
Flow
Patient
↓
User Pool
↓
JWT
↓
API Gateway
↓
Lambda
↓
Aurora
Identity Pool is not needed.
Direct S3 Upload Example
Patient uploads MRI
Flow
Patient
↓
User Pool
↓
Identity Pool
↓
Temporary IAM Credentials
↓
Amazon S3
Lambda is bypassed.
Identity Pool IAM Example
Patient Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::hospital-uploads/*"
}
]
}
Identity Pool assumes this IAM Role.
Real Enterprise Healthcare Example
Imagine your platform has two applications.
Patient Portal
Patient logs in
↓
Views appointments
↓
Books appointments
↓
Calls REST APIs
Needs
✅ User Pool
No Identity Pool required.
Medical Image Upload
Patient uploads
MRI
CT Scan
X-Ray
Ultrasound
Needs
User Pool
Identity Pool
because the upload goes directly to S3.
Which One for Your Blog Architecture?
For your AI-powered Healthcare Assistant, the choice depends on the interaction:
| Feature | User Pool | Identity Pool |
|---|---|---|
| Patient Login | ✅ | ❌ |
| JWT Authentication | ✅ | ❌ |
| API Gateway Authorization | ✅ | ❌ |
| Call Lambda APIs | ✅ | ❌ |
| Upload Voice Recording to S3 | Optional | ✅ Recommended |
| Upload MRI/CT Images to S3 | ❌ | ✅ |
| Access DynamoDB directly from client | ❌ | ✅ (with caution) |
| Access IoT devices from client | ❌ | ✅ |
| Temporary AWS credentials | ❌ | ✅ |
AWS AI Professional Exam Tip
When you see a question like:
"A mobile application authenticates users using Amazon Cognito and needs to upload files directly to Amazon S3 without exposing long-lived AWS credentials."
The correct design is:
- Authenticate the user with Amazon Cognito User Pool.
- Exchange the authenticated identity through a Cognito Identity Pool.
- Obtain temporary IAM credentials.
- Use those credentials to upload directly to Amazon S3.
A simple memory aid is:
- User Pool = Identity verification (Who are you?)
- Identity Pool = Temporary AWS permissions (What can you access?)
For your healthcare architecture, you should include User Pool because it is essential for authenticating patients, doctors, and staff. Add an Identity Pool only if your client applications need to access AWS resources such as Amazon S3 directly (for example, uploading medical images, voice recordings, or documents without routing them through your backend APIs). This distinction is both architecturally sound and commonly tested in AWS certification exams.
No comments:
Post a Comment