Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.1.1. Identity Solutions (IAM Identity Center, Cognito, MFA)

First Principle: Different identity consumers — humans, customer-facing applications, and system integrations — require different authentication mechanisms. Using the wrong mechanism for the context creates either security gaps or unnecessary friction.

AWS IAM Identity Center (successor to AWS SSO):
  • Purpose: Centralized human access to AWS accounts and cloud applications
  • How it works: Users authenticate once through Identity Center, then access any assigned AWS account or application via permission sets
  • Identity sources: Built-in directory, Active Directory (AD Connector or AWS Managed AD), or external IdP (Okta, Azure AD) via SAML 2.0
  • Permission sets: Define what users can do in each account — map to IAM roles created automatically in target accounts
  • Best for: employee access to AWS console and CLI across multi-account environments
Amazon Cognito:
  • Purpose: Authentication for external users (customers, mobile app users, web app users)
  • User Pools: User directory with sign-up, sign-in, and MFA. Issues JWT tokens.
  • Identity Pools: Exchange tokens for temporary AWS credentials (IAM roles). Supports federation with social IdPs (Google, Apple, Facebook) or SAML IdPs.
  • Best for: customer-facing applications where you can't use IAM Identity Center
Multi-Factor Authentication (MFA):
  • Virtual MFA: TOTP apps (Authenticator apps) — most common, lowest cost
  • Hardware MFA: Physical token devices — required for root account (recommended)
  • FIDO2 Security Keys: Phishing-resistant hardware keys (YubiKey) — strongest MFA
  • Passkeys: Built-in FIDO2 support using device biometrics — newest option
When to Use Which:
Identity ConsumerSolutionMFA Approach
Employees accessing AWSIAM Identity CenterRequired, FIDO2 preferred
Application end-usersCognito User PoolsAdaptive (risk-based)
Service-to-serviceIAM Roles (no human auth)N/A
Root accountIAM (dedicated)Hardware MFA required

⚠️ Exam Trap: IAM Identity Center is for human workforce access. Cognito is for external application users. If a question describes "employees accessing multiple AWS accounts," the answer is Identity Center, not Cognito.

Scenario: A company migrating from on-premises Active Directory needs employees to access 50 AWS accounts without creating IAM users. They deploy IAM Identity Center connected to their AD via AD Connector, create permission sets for each role type (admin, developer, auditor), and require FIDO2 MFA.

Reflection Question: Why does AWS recommend IAM Identity Center over creating IAM users in each account, and what security properties does federation provide that per-account users don't?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications