AWS CloudFormation
User Guide (Version )

AWS::Cognito::UserPoolRiskConfigurationAttachment

The AWS::Cognito::UserPoolRiskConfigurationAttachment resource sets the risk configuration that is used for Amazon Cognito advanced security features.

You can specify risk configuration for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration is used for every client that has had no risk configuration set previously. If you specify risk configuration for a particular client, it no longer falls back to the ALL configuration.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

Properties

AccountTakeoverRiskConfiguration

The account takeover risk configuration object including the NotifyConfiguration object and Actions to take in the case of an account takeover.

Required: No

Type: AccountTakeoverRiskConfigurationType

Update requires: No interruption

ClientId

The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to ALL).

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: [\w+]+

Update requires: Replacement

CompromisedCredentialsRiskConfiguration

The compromised credentials risk configuration object including the EventFilter and the EventAction

Required: No

Type: CompromisedCredentialsRiskConfigurationType

Update requires: No interruption

RiskExceptionConfiguration

The configuration to override the risk decision.

Required: No

Type: RiskExceptionConfigurationType

Update requires: No interruption

UserPoolId

The user pool ID.

Required: Yes

Type: String

Minimum: 1

Maximum: 55

Pattern: [\w-]+_[0-9a-zA-Z]+

Update requires: Replacement

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the physicalResourceId, which is “UserPoolRiskConfigurationAttachment-UserPoolId-ClientId". For example:

{ "Ref": “UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh” }

For the Amazon Cognito risk configuration attachment UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh, Ref returns the name of the risk configuration attachment.

For more information about using the Ref function, see Ref.

Examples

Creating a new risk configuration attachment for a user pool

The following example sets risk configurations in the referenced user pool and client.

JSON

{ "UserPoolRiskConfiguration": { "Type": "AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties": { "UserPoolId": {"Ref": "UserPool"}, "ClientId": {"Ref": "Client"}, "AccountTakeoverRiskConfiguration": { "Actions": { "HighAction": { "EventAction": "MFA_REQUIRED", "Notify": true, }, "MediumAction": { "EventAction": "MFA_IF_CONFIGURED", "Notify": true }, "LowAction": { "EventAction": {"Ref": "EventAction"}, "Notify": false } }, "NotifyConfiguration": { "BlockEmail": { "HtmlBody": "html body", "Subject": "Your account got blocked", "TextBody": "Your account got blocked" }, "MfaEmail": { "HtmlBody": "html body", "Subject": "Your account needs MFA verification", "TextBody": "Your account needs MFA verification" }, "NoActionEmail": { "HtmlBody": {"Ref": "HtmlBody"}, "Subject": {"Ref": "Subject"}, "TextBody": {"Ref": "TextBody"}, }, "From": "your-from-email@amazon.com", "SourceArn": {"Ref": "SourceArn"}, "ReplyTo": "your-reply-to@amazon.com" } }, "CompromisedCredentialsRiskConfiguration": { "Actions": { "EventAction": "BLOCKED" }, "EventFilter": [ {"Ref": "EventFilter"}, ] }, "RiskExceptionConfiguration": { "BlockedIPRangeList": [ "198.0.0.1" ], "SkippedIPRangeList": [ "198.0.0.1" ] } } } }

YAML

UserPoolRiskConfiguration: Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: UserPoolId: !Ref UserPool ClientId: !Ref Client AccountTakeoverRiskConfiguration: Actions: HighAction: EventAction: "MFA_REQUIRED" Notify: True MediumAction: EventAction: "MFA_IF_CONFIGURED" Notify: True LowAction: EventAction: !Ref LowEventAction Notify: False NotifyConfiguration: BlockEmail: HtmlBody: "html body" Subject: "Your account got blocked" TextBody: "Your account got blocked" MfaEmail: HtmlBody: "html body" Subject: : "Your account needs MFA verification" TextBody: "Your account needs MFA verification" NoActionEmail: HtmlBody: !Ref HtmlBody Subject: !Ref Subject TextBody: !Ref TextBody From: "your-from-email@amazon.com" SourceArn: !Ref SourceArn ReplyTo: "your-reply-to@amazon.com" CompromisedCredentialsRiskConfiguration: Actions: EventAction: "BLOCKED" EventFilter: - !Ref EventFilter RiskExceptionConfiguration: BlockedIPRangeList: - "198.0.0.1" SkippedIPRangeList: - "198.0.0.1"