AWSGlossary

Cognito User Pool vs Identity Pool: What It Is and When toUse It

Definition

Amazon Cognito is an AWS service that provides identity management for web and mobile applications, composed of two main components: User Pools and Identity Pools. A Cognito User Pool is a secure user directory for authentication (verifying a user's identity), offering sign-up and sign-in functionality. A Cognito Identity Pool is used for authorization (granting access to AWS resources), providing temporary AWS credentials to users so they can interact with other AWS services.

How It Works

While User Pools and Identity Pools can be used independently, they are often used together to provide a complete authentication and authorization solution.

1. Authentication with a User Pool:

A user of your application signs up and signs in through the Cognito User Pool. This can be done directly with a username and password, or through a federated identity provider like Google, Facebook, Apple, or a SAML 2.0 provider. Upon successful authentication, the User Pool returns JSON Web Tokens (JWTs), including an ID token, access token, and refresh token, to the application.

2. Authorization with an Identity Pool:

The application can then exchange the ID token from the User Pool for temporary, limited-privilege AWS credentials from an Identity Pool. The Identity Pool is configured to trust the User Pool as an identity provider. Based on the user's identity (and potentially their group membership within the User Pool), the Identity Pool assigns them an AWS Identity and Access Management (IAM) role with specific permissions.

3. Accessing AWS Resources:

With the temporary AWS credentials from the Identity Pool, the application (on behalf of the user) can now make secure requests to other AWS services, such as uploading a file to an Amazon S3 bucket or writing data to an Amazon DynamoDB table. This flow allows your application to grant users direct access to AWS resources without embedding long-term AWS credentials in the client application.

A diagram illustrating the authentication and authorization flow with Cognito User Pools and Identity Pools.

Key Features and Limits

User Pools:

  • User Directory: Fully managed user directory that can scale to millions of users.
  • Authentication: Supports username/password, multi-factor authentication (MFA), social sign-in (Google, Facebook, Apple), and enterprise federation with SAML 2.0 and OpenID Connect (OIDC).
  • Customizable UI: Provides a built-in, customizable web UI for sign-up and sign-in.
  • Security Features: Offers features like compromised credential checks, adaptive authentication, and account takeover protection in higher-tiered plans.
  • Lambda Triggers: Allows for custom workflows at various stages of the user lifecycle (e.g., pre-sign-up, post-authentication) using AWS Lambda functions.
  • Service Quotas (as of 2026): Default quotas include a maximum number of user pools per account, users per user pool, and API request rates that can be monitored and increased via the Service Quotas console.

Identity Pools:

  • Federated Identities: Creates unique identities for users from various identity providers, including User Pools, social providers, and SAML/OIDC providers.
  • Temporary AWS Credentials: Vends temporary, limited-privilege AWS credentials to authenticated and unauthenticated (guest) users.
  • IAM Integration: Uses IAM roles and policies to control user access to AWS resources.
  • Unauthenticated Access: Can provide credentials for guest users with highly restricted permissions.
  • Service Quotas (as of 2026): Default quotas include a maximum number of identity pools per account and API request rate limits. These can be monitored in the Service Quotas console.

Common Use Cases

  • Web and Mobile App Sign-in: Use a User Pool to handle all aspects of user registration, authentication, and account management for your application.
  • Direct S3 or DynamoDB Access: Combine a User Pool with an Identity Pool to allow authenticated users to directly upload files to an S3 bucket or query a DynamoDB table from their mobile or web app.
  • API Gateway Authorization: Use a User Pool as an authorizer for Amazon API Gateway to secure your RESTful APIs, ensuring that only authenticated users can access them.
  • Access for Unauthenticated Guests: Use an Identity Pool to provide temporary, read-only access to certain AWS resources for users who have not yet signed into your application.
  • Federation from an Existing Identity Provider: Use an Identity Pool to grant users from an existing corporate directory (via SAML) access to specific AWS resources without creating a separate user in a User Pool.

Pricing Model

As of 2026, the pricing for Amazon Cognito is as follows:

  • Cognito User Pools: Billed based on the number of Monthly Active Users (MAUs). A user is considered active if there is an identity operation related to them in a calendar month. There are three pricing tiers:

    • Lite: Basic authentication features.
    • Essentials: Includes all Lite features plus managed login UI and passwordless options.
    • Plus: Includes all Essentials features plus advanced security features like adaptive authentication and compromised credential detection. The Lite and Essentials tiers have a perpetual free tier for the first 10,000 MAUs. Additional costs may be incurred for sending SMS messages for MFA via Amazon Simple Notification Service (SNS).

  • Cognito Identity Pools: The use of Identity Pools to federate users and generate temporary AWS credentials is provided at no charge.

For detailed and current pricing, always refer to the official AWS Pricing page and the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Managed Service: Offloads the undifferentiated heavy lifting of building and managing a secure, scalable authentication and authorization system.
  • Deep AWS Integration: Seamlessly integrates with other AWS services like IAM, S3, DynamoDB, API Gateway, and Lambda.
  • Scalability: Designed to scale to support millions of users without manual intervention.
  • Cost-Effective: The pay-as-you-go model with a generous free tier for User Pools makes it very affordable, especially for new applications.
  • Standards-Based: Supports open identity standards like OAuth 2.0, SAML 2.0, and OpenID Connect.

Cons:

  • Complexity: The distinction between User Pools and Identity Pools can be confusing for beginners, leading to a steep learning curve.
  • Limited Customization: While customizable to a degree (especially with Lambda triggers), it can be less flexible for highly specific or complex authentication workflows compared to some third-party solutions.
  • Vendor Lock-in: Deep integration with the AWS ecosystem can make it more challenging to migrate to a different identity provider in the future.

Comparison with Alternatives

  • Auth0/Okta: These are dedicated Identity-as-a-Service (IDaaS) platforms that often provide a more straightforward developer experience, more extensive customization options, and a wider range of out-of-the-box integrations. However, they are typically more expensive than Cognito, especially at scale. Cognito's primary advantage is its native and seamless integration within the AWS ecosystem.
  • Self-Hosted Identity Solution (e.g., Keycloak): Building and managing your own identity server gives you maximum control and flexibility. However, it also means you are responsible for scalability, security, maintenance, and patching, which can be a significant operational burden compared to using a managed service like Cognito.

Exam Relevance

Amazon Cognito is a key topic on several AWS certification exams, particularly those focused on development and architecture:

  • AWS Certified Developer - Associate (DVA-C02): Expect questions on implementing user authentication and authorization using User Pools and Identity Pools, integrating with API Gateway, and using the AWS SDK to interact with Cognito.
  • AWS Certified Solutions Architect - Associate (SAA-C03): Questions will likely focus on the architectural patterns of when to use User Pools vs. Identity Pools, how they work together, and how to design secure access to AWS resources for application users.

Examinees should have a clear understanding of the distinct roles of User Pools (authentication) and Identity Pools (authorization) and be able to identify the correct component to use in various scenarios.

Frequently Asked Questions

Q: Can I use a Cognito User Pool without an Identity Pool?

A: Yes. If your application only needs to authenticate users and doesn't require them to have direct access to AWS resources, a User Pool is sufficient. For example, you can use the JWTs from a User Pool to authorize access to your own backend APIs (e.g., running on EC2 or Lambda via API Gateway).

Q: Can I use a Cognito Identity Pool without a User Pool?

A: Yes. An Identity Pool can federate identities from other providers like Google, Facebook, or any SAML/OIDC-compliant provider without needing a User Pool. You can even use a "developer authenticated identity" where you use your own backend to authenticate users and then get temporary AWS credentials from an Identity Pool.

Q: What is the primary difference I should remember between User Pools and Identity Pools?

A: The simplest way to remember the difference is: User Pools are for Authentication (Who is the user? Are they who they say they are?) and provide tokens. Identity Pools are for Authorization (What AWS resources is this user allowed to access?) and provide temporary AWS credentials.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/21/2026 / Updated: 5/21/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS Firewall Manager: Simplify Security Policy Management

AWS Firewall Manager centrally manages firewall rules and security policies across your AWS Organization. Ensure consistent enforcement and compliance. Learn how it works.

KMS Envelope Encryption: How It Works & When to Use It

KMS Envelope Encryption encrypts data with a DEK, then encrypts the DEK with a KMS key. Learn its two-tiered approach for secure, efficient data protection.

IAM Condition Keys: Fine-Grained Access Control Explained

IAM Condition Keys are key-value pairs in IAM policies for context-aware access control. Learn how they restrict permissions and when to use them.

IAM Policy Evaluation Logic: How It Works & When to Use It

Understand AWS IAM Policy Evaluation Logic: the process for allowing or denying resource access. Learn how it synthesizes policies for authorization decisions. See examples.

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

View all Security terms →