Purpose: Sign users in.
Think:
User Pool = Authentication (Who are you?)
Purpose: Give temporary AWS credentials.
Think:
Identity Pool = Authorization (What can you access?)
User Pool returns:
Important claims:
APIs simply read these claims.
User Pools support groups like:
Cognito automatically places them inside JWT.
Claim:
cognito:groupsExample
{
"cognito:groups": [
"admin"
]
}API checks the token.
No database lookup required.
Need custom data like
Use
Pre Token Generation Lambda Trigger
It runs before JWT creation.
Can
Example
plan = pro
department = financeThese become part of the JWT.
Normal login may not require MFA.
Sensitive actions may require MFA.
Example
AWS solution:
STS GetSessionTokenwith
Returns
temporary MFA-authenticated credentials
Exam keyword:
High-value action → STS GetSessionToken
Cognito User Pools support
Adaptive Authentication
It can request MFA based on
Exam clue:
"Require MFA based on risk"
Answer:
Adaptive Authentication
Identity Pool maps users to IAM Roles.
Normally there are two roles.
Authenticated Role
Full accessUnauthenticated Role
Limited accessIdentity Pools can support guests.
Enable
Allow unauthenticated identitiesThen assign
Unauthenticated IAM Role
Example permissions
s3:GetObjectNo write permission.
Very common exam question.
Authenticated users receive
Authenticated IAM Role
Example
Read
Write
Upload
Deletedepending on IAM policy.
Identity Pools provide
These are
temporary credentials
Used to access
Identity Pools support IAM policy variables.
Very important variable
${cognito-identity.amazonaws.com:sub}Use it inside IAM policy.
Example
Allow access only when
Partition Key = User Identity IDResult
Each user only reads their own data.
No Lambda required.
No middleware required.
Identity Pool
↓
IAM Role
↓
S3
If S3 access fails
First check
IAM Role permissions
Not
Exam favorite.
Identity Pools can accept identities from
Then issue temporary AWS credentials.
For this exam, remember only one.
Pre Token Generation
Purpose
Add custom JWT claims.
| User Pool | Identity Pool |
|---|---|
| Authentication | Authorization |
| Login | AWS Credentials |
| JWT Tokens | Temporary AWS Credentials |
| Users | IAM Roles |
| Groups | AWS Service Access |
| MFA | S3/DynamoDB/Lambda access |
| Question Mentions | Answer |
|---|---|
| Login | User Pool |
| JWT | User Pool |
| Groups | cognito:groups |
| Custom JWT claim | Pre Token Generation Lambda |
| Temporary AWS credentials | Identity Pool |
| S3 direct access | Identity Pool |
| DynamoDB direct access | Identity Pool |
| Guest users | Allow unauthenticated identities |
| Guest read-only S3 | Unauthenticated IAM Role + s3:GetObject |
| User-specific DynamoDB items | ${cognito-identity.amazonaws.com:sub} |
| High-value action requiring MFA | STS GetSessionToken |
| Risk-based MFA | Adaptive Authentication |
| S3 permission issue | Check IAM Role first |
cognito:groups${cognito-identity.amazonaws.com:sub}These are the core Cognito concepts repeatedly tested in the AWS Developer Associate (DVA-C02) exam.