Menu
Amazon Cognito
Developer Guide (Version Last Updated: 08/26/2017)

Resource Permissions

This article covers restricting access to Amazon Cognito resources via IAM. If you are trying to define access permissions for your application's users, see Federated Identities Concepts for further details.

Amazon Resource Names (ARNs)

ARNs for Amazon Cognito Federated Identities

In Amazon Cognito Federated Identities, it is possible to restrict an IAM user's access to a specific identity pool, using the Amazon Resource Name (ARN) format, as in the following example. For more information about ARNs, see IAM Identifiers.

Copy
arn:aws:cognito-identity:REGION:ACCOUNT_ID:identitypool/IDENTITY_POOL_ID

ARNs for Amazon Cognito Sync

In Amazon Cognito Sync, customers can also restrict access by the identity pool ID, identity ID, and dataset name.

For APIs that operate on an identity pool, the identity pool ARN format is the same as for Amazon Cognito Federated Identities, except that the service name is cognito-sync instead of cognito-identity:

Copy
arn:aws:cognito-sync:REGION:ACCOUNT_ID:identitypool/IDENTITY_POOL_ID

For APIs that operate on a single identity, such as RegisterDevice, you can refer to the individual identity by the following ARN format:

Copy
arn:aws:cognito-sync:REGION:ACCOUNT_ID:identitypool/IDENTITY_POOL_ID/identity/IDENTITY_ID

For APIs that operate on datasets, such as UpdateRecords and ListRecords, you can refer to the individual dataset using the following ARN format:

Copy
arn:aws:cognito-sync:REGION:ACCOUNT_ID:identitypool/IDENTITY_POOL_ID/identity/IDENTITY_ID/dataset/DATASET_NAME

ARNs for Amazon Cognito Your User Pools

For Amazon Cognito Your User Pools, it is possible to restrict an IAM user's access to a specific user pool, using the following ARN format:

Copy
arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID

Example Policies

Restricting Console Access to a Specific Identity Pool

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-identity:ListIdentityPools" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cognito-identity:*" ], "Resource": "arn:aws:cognito-identity:us-east-1:0123456789:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678" }, { "Effect": "Allow", "Action": [ "cognito-sync:*" ], "Resource": "arn:aws:cognito-sync:us-east-1:0123456789:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678" } ] }

Allowing Access to Specific Dataset for All Identities in a Pool

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-sync:ListRecords", "cognito-sync:UpdateRecords" ], "Resource": "arn:aws:cognito-sync:us-east-1:0123456789:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678/identity/*/dataset/UserProfile" } ] }

Managed Policies

A number of policies are available via the IAM Console that customers can use to grant access to Amazon Cognito:

  • AmazonCognitoPowerUser - Permissions for accessing and managing all aspects of your identity pools.

  • AmazonCognitoReadOnly - Permissions for read only access to your identity pools.

  • AmazonCognitoDeveloperAuthenticatedIdentities - Permissions for your authentication system to integrate with Amazon Cognito.

These policies are maintained by the Amazon Cognito team, so even as new APIs are added your IAM users will continue to have the same level of access.

Note

Because creating a new identity pool also requires creating IAM roles, any IAM user you want to be able to create new identity pools with must have the admin policy applied as well.

Signed versus Unsigned APIs

APIs that are signed with AWS credentials are capable of being restricted via an IAM policy. The following Cognito APIs are unsigned, and therefore cannot be restricted via an IAM policy:

Amazon Cognito Federated Identities

  • GetId

  • GetOpenIdToken

  • GetCredentialsForIdentity

  • UnlinkIdentity

Amazon Cognito Your User Pools

  • ChangePassword

  • ConfirmDevice

  • ConfirmForgotPassword

  • ConfirmSignUp

  • DeleteUser

  • DeleteUserAttributes

  • ForgetDevice

  • ForgotPassword

  • GetDevice

  • GetUser

  • GetUserAttributeVerificationCode

  • GlobalSignOut

  • InitiateAuth

  • ListDevices

  • ResendConfirmationCode

  • RespondToAuthChallenge

  • SetUserSettings

  • SignUp

  • UpdateDeviceStatus

  • UpdateUserAttributes

  • VerifyUserAttribute