AWS::Cognito::UserPool
The AWS::Cognito::UserPool
resource creates an Amazon Cognito user pool. For
more information on working with Amazon Cognito user pools, see Amazon Cognito User
Pools and CreateUserPool.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::UserPool", "Properties" : { "AccountRecoverySetting" :
AccountRecoverySetting
, "AdminCreateUserConfig" :AdminCreateUserConfig
, "AliasAttributes" :[ String, ... ]
, "AutoVerifiedAttributes" :[ String, ... ]
, "DeviceConfiguration" :DeviceConfiguration
, "EmailConfiguration" :EmailConfiguration
, "EmailVerificationMessage" :String
, "EmailVerificationSubject" :String
, "EnabledMfas" :[ String, ... ]
, "LambdaConfig" :LambdaConfig
, "MfaConfiguration" :String
, "Policies" :Policies
, "Schema" :[ SchemaAttribute, ... ]
, "SmsAuthenticationMessage" :String
, "SmsConfiguration" :SmsConfiguration
, "SmsVerificationMessage" :String
, "UsernameAttributes" :[ String, ... ]
, "UsernameConfiguration" :UsernameConfiguration
, "UserPoolAddOns" :UserPoolAddOns
, "UserPoolName" :String
, "UserPoolTags" :Json
, "VerificationMessageTemplate" :VerificationMessageTemplate
} }
YAML
Type: AWS::Cognito::UserPool Properties: AccountRecoverySetting:
AccountRecoverySetting
AdminCreateUserConfig:AdminCreateUserConfig
AliasAttributes:- String
AutoVerifiedAttributes:- String
DeviceConfiguration:DeviceConfiguration
EmailConfiguration:EmailConfiguration
EmailVerificationMessage:String
EmailVerificationSubject:String
EnabledMfas:- String
LambdaConfig:LambdaConfig
MfaConfiguration:String
Policies:Policies
Schema:- SchemaAttribute
SmsAuthenticationMessage:String
SmsConfiguration:SmsConfiguration
SmsVerificationMessage:String
UsernameAttributes:- String
UsernameConfiguration:UsernameConfiguration
UserPoolAddOns:UserPoolAddOns
UserPoolName:String
UserPoolTags:Json
VerificationMessageTemplate:VerificationMessageTemplate
Properties
AccountRecoverySetting
-
Use this setting to define which verified available method a user can use to recover their password when they call
ForgotPassword
. It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.Required: No
Type: AccountRecoverySetting
Update requires: No interruption
AdminCreateUserConfig
-
The configuration for creating a new user profile.
Required: No
Type: AdminCreateUserConfig
Update requires: No interruption
AliasAttributes
-
Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username.
Note This user pool property cannot be updated.
Required: No
Type: List of String
Update requires: No interruption
AutoVerifiedAttributes
-
The attributes to be auto-verified. Possible values: email, phone_number.
Required: No
Type: List of String
Update requires: No interruption
DeviceConfiguration
-
The device configuration.
Required: No
Type: DeviceConfiguration
Update requires: No interruption
EmailConfiguration
-
The email configuration.
Required: No
Type: EmailConfiguration
Update requires: No interruption
EmailVerificationMessage
-
A string representing the email verification message. EmailVerificationMessage is allowed only if EmailSendingAccount is DEVELOPER.
Required: No
Type: String
Minimum:
6
Maximum:
20000
Pattern:
[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*
Update requires: No interruption
EmailVerificationSubject
-
A string representing the email verification subject. EmailVerificationSubject is allowed only if EmailSendingAccount is DEVELOPER.
Required: No
Type: String
Minimum:
1
Maximum:
140
Pattern:
[\p{L}\p{M}\p{S}\p{N}\p{P}\s]+
Update requires: No interruption
EnabledMfas
-
Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting MfaConfiguration to “OFF”. Can be one of the following values:
-
SMS_MFA
- Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS configuration is provided. -
SOFTWARE_TOKEN_MFA
- Enables software token MFA for the user pool.
Allowed values:
SMS_MFA
|SOFTWARE_TOKEN_MFA
Required: No
Type: List of String
Update requires: No interruption
-
LambdaConfig
-
The Lambda trigger configuration information for the new user pool.
Note In a push model, event sources (such as Amazon S3 and custom applications) need permission to invoke a function. So you will need to make an extra call to add permission for these event sources to invoke your Lambda function.
For more information on using the Lambda API to add permission, see AddPermission .
For adding permission using the AWS CLI, see add-permission .
Required: No
Type: LambdaConfig
Update requires: No interruption
MfaConfiguration
-
The multi-factor (MFA) configuration. Valid values include:
-
OFF
MFA will not be used for any users. -
ON
MFA is required for all users to sign in. -
OPTIONAL
MFA will be required only for individual users who have an MFA factor enabled.
Required: No
Type: String
Allowed values:
OFF | ON | OPTIONAL
Update requires: No interruption
-
Policies
-
The policy associated with a user pool.
Required: No
Type: Policies
Update requires: No interruption
Schema
-
The schema attributes for the new user pool. These attributes can be standard or custom attributes.
Note During a user pool update, you can add new schema attributes but you cannot modify or delete an existing schema attribute.
Required: No
Type: List of SchemaAttribute
Maximum:
50
Update requires: No interruption
SmsAuthenticationMessage
-
A string representing the SMS authentication message.
Required: No
Type: String
Minimum:
6
Maximum:
140
Pattern:
.*\{####\}.*
Update requires: No interruption
SmsConfiguration
-
The SMS configuration.
Required: No
Type: SmsConfiguration
Update requires: No interruption
SmsVerificationMessage
-
A string representing the SMS verification message.
Required: No
Type: String
Minimum:
6
Maximum:
140
Pattern:
.*\{####\}.*
Update requires: No interruption
UsernameAttributes
-
Determines whether email addresses or phone numbers can be specified as user names when a user signs up. Possible values:
phone_number
oremail
.This user pool property cannot be updated.
Required: No
Type: List of String
Update requires: No interruption
UsernameConfiguration
-
You can choose to set case sensitivity on the username input for the selected sign-in option. For example, when this is set to
False
, users will be able to sign in using either "username" or "Username". This configuration is immutable once it has been set.Required: No
Type: UsernameConfiguration
Update requires: No interruption
UserPoolAddOns
-
Used to enable advanced security risk detection. Set the key
AdvancedSecurityMode
to the value "AUDIT".Required: No
Type: UserPoolAddOns
Update requires: No interruption
UserPoolName
-
A string used to name the user pool.
Required: No
Type: String
Minimum:
1
Maximum:
128
Pattern:
[\w\s+=,.@-]+
Update requires: No interruption
UserPoolTags
-
The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Required: No
Type: Json
Update requires: No interruption
VerificationMessageTemplate
-
The template for the verification message that the user sees when the app requests permission to access the user's information.
Required: No
Type: VerificationMessageTemplate
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns a generated ID, such as
us-east-2_zgaEXAMPLE
.
For more information about using the Ref
function, see Ref.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt.
Arn
-
The Amazon Resource Name (ARN) of the user pool, such as
arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341
. ProviderName
-
The provider name of the Amazon Cognito user pool, specified as a
String
. ProviderURL
-
The URL of the provider of the Amazon Cognito user pool, specified as a
String
.