Used for web and mobile application to create User pools - Acts as an identity broker
User pool - directory for sign in & sign up for users (can user FB, google)
Identity pool - limited access to service (like IAM role - uses STS assume role )
<aside> 💡 need to setup trust relationship
</aside>
supports ADFS & MS Active directory , provides CLI, API, Console accessAssumeRoleWIthSAML
on premisses identity broker connected to AWS
not recommended - use Cognito
can limit user action using IAM Policy