gsrai · July 26, 2022 12:48 · Jul 26, 2022
diff --git a/Notes.md b/Notes.md
@@ -0,0 +1,70 @@
+# Cognito
+
+Securing something is about restricting access or access control.
+To control access, you need to differentiate those who have access and those who don't.
+This inherently requires you to be able to identify the user (authentication).
+To identify users, you need an identity provider, a service that stores and provides user information aka identity.
+Once you can identify users, you need to associate a user/s to a permissions list or ruleset.
+
+The _Cognito User Pool_ is an identity provider, and the _Cognito Identity Pool_ federates identities
+from multiple identity providers and then applys a ruleset via _IAM roles_.
+
+## Cognito User Pool vs Identity Pool
+
+AWS definition for the _Cognito User Pool_:
+
+> Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality
+> to web and mobile applications. It serves as your own **identity provider** to maintain a user
+> directory. It supports user registration and sign-in, as well as **provisioning identity tokens** for
+> signed-in users.
+
+AWS definition for _Cognito Federated Identities_ or _Identity Pool_:
+
+> Amazon Cognito **Federated** Identities enables developers to create **unique identities** for your
+> users and **authenticate them with federated identity providers**. With a **federated identity**, you
+> can **obtain temporary, limited-privilege AWS credentials to securely access other AWS services**
+> such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway.
+
+The _Cognito Identity Pool_ simply takes all your _identity providers_ and puts them together (_federates_ them).
+And with all of this it can now give your users **secure access to your AWS services, regardless of where they come from**.
+
+So in summary; the _Cognito User Pool_ stores all your users which then plugs into your
+_Cognito Identity Pool_ which can give your users access to your AWS services.
+
+## Cognito User Pool
+
+An AWS service that can store user login info.
+Commonly used to manage sign up and login functionality for our users,
+Also can be used to manage user sessions.
+
+> _Cognito User Pool_ is effectively an _authentication provider_.
+
+how to handle user registration, authentication, and account recovery.
+use the SDK to retrieve user related information
+
+## Cognito Identity Pool
+
+To manage access control to our AWS infrastructure we can use a service called _Amazon Cognito Identity Pools_.
+This service decides if our previously authenticated user has access to the resources they are trying to connect to.
+
+Identity Pools can have different authentication providers (like _Cognito User Pools_, _Facebook_, _Google_ etc.).
+
+a way to **authorize your users to use the various AWS services**.
+
+And to create these levels of access, the Identity Pool has its own concept of an identity (or user),
+Why? because it needs to federate them, as the source of these identities (or users) could be a
+_Cognito User Pool_ or even _Facebook_ or _Google_.
+
+## Auth Role
+
+A _Cognito Identity Pool_ can have a set of rules (called an _IAM Role_) attached to it.
+The role defines a list of the resources an authenticated user is allowed to access.
+These resources are listed using an _ID_ called _ARN_ (Amazon Resource Name).
+
+## IAM user vs Cognito user
+
+An _IAM user_ is used to identify external entities and manage their access to AWS resources on you AWS account.
+An external entity can interface with your account resources via an API, CLI or the Web UI (console).
+
+A _Cognito user_ is different as the user doesn't need to be identified as part of your AWS account resources,
+they don't need an ARN.
No results found