I understand that you’ll want to use STS if you have your own identity broker and want to authenticate (and federate) users to AWS, but what bothers me is that you also gave the option to use STS when dealing with web identities like Facebook, LinkedIn, etc.. so I’m unsure where does one draw the line between using STS and Cognito for web identities? (I understand why we’d use STS for on-premise situations like AD).
They are similar services and both support authentication using third party providers, however the main thing to remember is that if you are working on a mobile application, or you need to sync user data across different mobile devices, then Cognito is the way to go.
here is the official explanation from the AWS documentation:
AWS STS Web identity federation – enables you to let users sign in using a third party identity provider (Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider).
You can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access and helps you keep your AWS account secure, because you don’t have to distribute long-term security credentials, such as IAM user access keys, with your application.
When to use Cognito?
For mobile applications, AWS recommend that you use Cognito. You can use this service with the AWS Mobile SDK for iOS and the AWS Mobile SDK for Android and Fire OS to create unique identities for users and authenticate them for secure access to your AWS resources.
Amazon Cognito supports the same identity providers as AWS STS, however, it also supports unauthenticated (guest) access and lets you migrate user data when a user signs in. Amazon Cognito also provides API operations for synchronizing user data so that it is preserved as users move between devices.
hope that helps,
I believe using Cognito also prevents you from having to write the code for the Identity Broker service in the STS model.