Amazon Cognito vs AWS IAM: What are the differences?
Developers describe Amazon Cognito as "Securely manage and synchronize app data for your users across their mobile devices". You can create unique identities for your users through a number of public login providers (Amazon, Facebook, and Google) and also support unauthenticated guests. You can save app data locally on users’ devices allowing your applications to work even when the devices are offline. On the other hand, AWS IAM is detailed as "Securely control access to AWS services and resources for your users". AWS Identity and Access Management.
Amazon Cognito and AWS IAM are primarily classified as "User Management and Authentication" and "Cloud Access Management" tools respectively.
Some of the features offered by Amazon Cognito are:
- Manage Unique Identities
- Work Offline
- Store and Sync across Devices
On the other hand, AWS IAM provides the following key features:
- Manage IAM users and their access - You can create users in IAM, assign them individual security credentials (i.e., access keys, passwords, and Multi-Factor Authentication devices) or request temporary security credentials to provide users access to AWS services and resources.
- Manage IAM roles and their permissions - You can create roles in IAM, and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to assume the role.
- Manage federated users and their permissions - You can enable identity federation to allow existing identities (e.g. users) from your corporate directory or from a 3rd party such as Login with Amazon, Facebook, and Google to access the AWS Management Console, to call AWS APIs, and to access resources, without the need to create an IAM user for each identity.
"Backed by Amazon" is the top reason why over 11 developers like Amazon Cognito, while over 21 developers mention "Centralized powerful permissions based access" as the leading cause for choosing AWS IAM.
According to the StackShare community, AWS IAM has a broader approval, being mentioned in 133 company stacks & 50 developers stacks; compared to Amazon Cognito, which is listed in 41 company stacks and 13 developer stacks.
I started our team on Amazon Cognito because I was a Solutions Architect at AWS and found it really easy to follow the tutorials and get a basic app up and running with it.
When our team started working with it, they very quickly became frustrated because of the poor documentation. After 4 days of trying to get all the basic passwordless auth working, our lead engineer made the decision to abandon it and try Auth0... and managed to get everything implemented in 4 hours.
The consensus was that Cognito just isn't mature enough or well-documented, and that the implementation does not cater for real world use cases the way that it should. I believe Amplify has made some of this simpler, but I would still recommend Auth0 as it's been bulletproof for us, and is a sensible price.