Securing something is about restricting access or access control. To control access, you need to differentiate those who have access and those who don't. This inherently requires you to be able to identify the user (authentication). To identify users, you need an identity provider, a service that stores and provides user information aka identity. Once you can identify users, you need to associate a user/s to a permissions list or ruleset.
The Cognito User Pool is an identity provider, and the Cognito Identity Pool federates identities from multiple identity providers and then applys a ruleset via IAM roles.
AWS definition for the Cognito User Pool:
Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.
AWS definition for Cognito Federated Identities or Identity Pool:
Amazon Cognito Federated Identities enables developers to create unique identities for your users and authenticate them with federated identity providers. With a federated identity, you can obtain temporary, limited-privilege AWS credentials to securely access other AWS services such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway.
The Cognito Identity Pool simply takes all your identity providers and puts them together (federates them). And with all of this it can now give your users secure access to your AWS services, regardless of where they come from.
So in summary; the Cognito User Pool stores all your users which then plugs into your Cognito Identity Pool which can give your users access to your AWS services.
An AWS service that can store user login info. Commonly used to manage sign up and login functionality for our users, Also can be used to manage user sessions.
Cognito User Pool is effectively an authentication provider.
how to handle user registration, authentication, and account recovery. use the SDK to retrieve user related information
To manage access control to our AWS infrastructure we can use a service called Amazon Cognito Identity Pools. This service decides if our previously authenticated user has access to the resources they are trying to connect to.
Identity Pools can have different authentication providers (like Cognito User Pools, Facebook, Google etc.).
a way to authorize your users to use the various AWS services.
And to create these levels of access, the Identity Pool has its own concept of an identity (or user), Why? because it needs to federate them, as the source of these identities (or users) could be a Cognito User Pool or even Facebook or Google.
A Cognito Identity Pool can have a set of rules (called an IAM Role) attached to it. The role defines a list of the resources an authenticated user is allowed to access. These resources are listed using an ID called ARN (Amazon Resource Name).
An IAM user is used to identify external entities and manage their access to AWS resources on you AWS account. An external entity can interface with your account resources via an API, CLI or the Web UI (console).
A Cognito user is different as the user doesn't need to be identified as part of your AWS account resources, they don't need an ARN.