AWS Cognito — Bare Essentials for DVA-C02 Quiz


1. Cognito User Pools vs Identity Pools

Cognito User Pools (Authentication)

Purpose: Sign users in.

Think:

User Pool = Authentication (Who are you?)


Cognito Identity Pools (Authorization)

Purpose: Give temporary AWS credentials.

Think:

Identity Pool = Authorization (What can you access?)


2. JWT Tokens

User Pool returns:

Important claims:

APIs simply read these claims.


3. Cognito Groups

User Pools support groups like:

Cognito automatically places them inside JWT.

Claim:

cognito:groups

Example

{
  "cognito:groups": [
      "admin"
  ]
}

API checks the token.

No database lookup required.


4. Custom JWT Claims

Need custom data like

Use

Pre Token Generation Lambda Trigger

It runs before JWT creation.

Can

Example

plan = pro
department = finance

These become part of the JWT.


5. Step-Up MFA

Normal login may not require MFA.

Sensitive actions may require MFA.

Example

AWS solution:

STS GetSessionToken

with

Returns

temporary MFA-authenticated credentials

Exam keyword:

High-value action → STS GetSessionToken


6. Adaptive Authentication

Cognito User Pools support

Adaptive Authentication

It can request MFA based on

Exam clue:

"Require MFA based on risk"

Answer:

Adaptive Authentication


7. Identity Pools and IAM Roles

Identity Pool maps users to IAM Roles.

Normally there are two roles.

Authenticated Role

Full access

Unauthenticated Role

Limited access

8. Guest (Unauthenticated) Users

Identity Pools can support guests.

Enable

Allow unauthenticated identities

Then assign

Unauthenticated IAM Role

Example permissions

s3:GetObject

No write permission.

Very common exam question.


9. Authenticated Users

Authenticated users receive

Authenticated IAM Role

Example

Read
Write
Upload
Delete

depending on IAM policy.


10. Temporary AWS Credentials

Identity Pools provide

These are

temporary credentials

Used to access


11. Fine-Grained DynamoDB Access

Identity Pools support IAM policy variables.

Very important variable

${cognito-identity.amazonaws.com:sub}

Use it inside IAM policy.

Example

Allow access only when

Partition Key = User Identity ID

Result

Each user only reads their own data.

No Lambda required.

No middleware required.


12. S3 Access using Identity Pools

Identity Pool

IAM Role

S3

If S3 access fails

First check

IAM Role permissions

Not

Exam favorite.


13. SAML / OIDC / Social Login

Identity Pools can accept identities from

Then issue temporary AWS credentials.


14. Common Lambda Trigger

For this exam, remember only one.

Pre Token Generation

Purpose

Add custom JWT claims.


15. User Pool vs Identity Pool Summary

User Pool Identity Pool
Authentication Authorization
Login AWS Credentials
JWT Tokens Temporary AWS Credentials
Users IAM Roles
Groups AWS Service Access
MFA S3/DynamoDB/Lambda access

16. DVA-C02 Exam Keywords

Question Mentions Answer
Login User Pool
JWT User Pool
Groups cognito:groups
Custom JWT claim Pre Token Generation Lambda
Temporary AWS credentials Identity Pool
S3 direct access Identity Pool
DynamoDB direct access Identity Pool
Guest users Allow unauthenticated identities
Guest read-only S3 Unauthenticated IAM Role + s3:GetObject
User-specific DynamoDB items ${cognito-identity.amazonaws.com:sub}
High-value action requiring MFA STS GetSessionToken
Risk-based MFA Adaptive Authentication
S3 permission issue Check IAM Role first

17. 30-Second Memory Sheet

These are the core Cognito concepts repeatedly tested in the AWS Developer Associate (DVA-C02) exam.