
Different levels of access for AWS Cognito

I'm trying to build a web app that can be accessed by any user that signs up with facebook. I want to use AWS Cognito to speed up the development for users management.

It has to have 3 type of users:

Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.

Some tutorial, documentation or at least a short description of how can I do this would help me a lot.

Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.


  • You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc:

    If you are only using Facebook, you can use Facebook sub to assign appropriate role.

    If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.

    Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.