Purpose: Adds user sign-up, sign-in, and access control to web and mobile applications quickly and easily.
Provides authentication, authorization, and user management.
Users can sign in directly with a username/password or through third-party identity providers (e.g., Facebook, Amazon, Google).

Allows users to authenticate with a Web Identity Provider (IdP) (e.g., Google, Facebook, Amazon, Twitter, Digits, or any OpenID Connect compatible IdP).
Also supports external identity providers that support SAML.
Flow: User authenticates with Web IdP → receives an authentication token → exchanges token with Cognito → Cognito provides temporary AWS credentials → user assumes an IAM role → gains access to required AWS resources.
Cognito acts as an Identity Broker, handling the interaction between your application and the Web IdP, eliminating the need for custom code.
You can also integrate your own custom identity provider.

The two main components of AWS Cognito.
Can be used separately or together.
Eliminates the need for applications to embed or store AWS credentials locally on the device.
Provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway.
Exposes server-side APIs.
Users can sign up and sign in using email, phone number, or username.
Supports SMS-based Multi-Factor Authentication (MFA).
Includes an import tool for migrating existing users into a Cognito User Pool.

Function: User directories that provide sign-up and sign-in options for your app users. (Authentication)
Users can sign in directly or through social/SAML identity providers.
All users in a user pool have a directory profile accessible via an SDK.
Cognito acts as an Identity Broker between the IdP and AWS (when federating).
Key Features:
- Sign-up and sign-in services.
- Built-in, customizable web UI for sign-in.
- Social sign-in (Facebook, Google, Login with Amazon) and SAML IdP integration.
- User directory management and user profiles.
- Security features: MFA, compromised credentials checks, account takeover protection, phone/email verification.
- Customized workflows and user migration through AWS Lambda triggers.
- After successful authentication, Cognito issues JSON Web Tokens (JWTs) (ID token, Access token, Refresh token) that can be used to secure and authorize access to your own APIs, or exchanged for AWS credentials.

Function: Enable you to grant your users access to other AWS services. (Authorization)
Creates unique identities for your users and authenticates them with identity providers.
With an identity, users can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Tracks the association between user identity and various devices.
Uses Push Synchronization (via Amazon SNS silent push notifications) to synchronize user data across multiple devices for a seamless experience.
Supported Identity Providers:
- Public providers (Login with Amazon, Facebook, Google).
- Amazon Cognito User Pools.
- Open ID Connect Providers.
- SAML Identity Providers.
- Developer Authenticated Identities.

Definition: An AWS service and client library for cross-device syncing of application-related user data.
Synchronizes user profile data across mobile devices and the web without requiring your own backend.
Client libraries cache data locally, allowing offline read/write.
Supports push sync to notify other devices immediately when data changes.
Exam Tip: Cognito Sync vs. AWS AppSync
- Cognito Sync: Synchronizes data for a single user across their multiple devices.
- AWS AppSync: A more advanced service that can synchronize mobile app data across multiple devices AND multiple users, supports additional devices and data types, and is based on GraphQL. If a question implies multi-user data synchronization, AppSync is the answer.

User Pool vs. Identity Pool (Crucial Distinction!):
- User Pool = Authentication ("Who are you?"): Manages user directories, sign-up/sign-in, MFA, issues JWTs. Think of it like IAM Users or Active Directory for your app users.
- Identity Pool = Authorization ("What can you do in AWS?"): Grants temporary AWS credentials to authenticated users to access AWS services. Think of it like an IAM Role that your users can assume.
Web Identity Federation Flow: Understand the sequence: User → External IdP → Token → Cognito Identity Pool → Temporary AWS Credentials → IAM Role → AWS Services.
JWTs: User Pools issue ID tokens (user claims), Access tokens (API access), and Refresh tokens (to get new ID/Access tokens).
Lambda Triggers: User Pools can invoke Lambda functions for custom authentication flows, pre-sign-up validation, post-confirmation actions, and user migration.
Security: Cognito helps avoid hardcoding credentials. Identity Pools provide temporary, limited-privilege credentials.
Scalability: Cognito is designed to scale to millions of users.