Actions, resources, and condition keys for Amazon Cognito User Pools - Service Authorization Reference

Actions, resources, and condition keys for Amazon Cognito User Pools

Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Cognito User Pools

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddCustomAttributes Grants permission to add user attributes to the user pool schema Write

userpool*

AdminAddUserToGroup Grants permission to add any user to any group Write

userpool*

AdminConfirmSignUp Grants permission to confirm any user's registration without a confirmation code Write

userpool*

AdminCreateUser Grants permission to create new users and send welcome messages via email or SMS Write

userpool*

AdminDeleteUser Grants permission to delete any user Write

userpool*

AdminDeleteUserAttributes Grants permission to delete attributes from any user Write

userpool*

AdminDisableProviderForUser Grants permission to unlink any user pool user from a third-party identity provider (IdP) user Write

userpool*

AdminDisableUser Grants permission to deactivate any user Write

userpool*

AdminEnableUser Grants permission to activate any user Write

userpool*

AdminForgetDevice Grants permission to deregister any user's devices Write

userpool*

AdminGetDevice Grants permission to get information about any user's devices Read

userpool*

AdminGetUser Grants permission to look up any user by user name Read

userpool*

AdminInitiateAuth Grants permission to authenticate any user Write

userpool*

AdminLinkProviderForUser Grants permission to link any user pool user to a third-party IdP user Write

userpool*

AdminListDevices Grants permission to list any user's remembered devices List

userpool*

AdminListGroupsForUser Grants permission to list the groups that any user belongs to List

userpool*

AdminListUserAuthEvents Grants permission to lists sign-in events for any user Read

userpool*

AdminRemoveUserFromGroup Grants permission to remove any user from any group Write

userpool*

AdminResetUserPassword Grants permission to reset any user's password Write

userpool*

AdminRespondToAuthChallenge Grants permission to respond to an authentication challenge during the authentication of any user Write

userpool*

AdminSetUserMFAPreference Grants permission to set any user's preferred MFA method Write

userpool*

AdminSetUserPassword Grants permission to set any user's password Write

userpool*

AdminSetUserSettings Grants permission to set user settings for any user Write

userpool*

AdminUpdateAuthEventFeedback Grants permission to update advanced security feedback for any user's authentication event Write

userpool*

AdminUpdateDeviceStatus Grants permission to update the status of any user's remembered devices Write

userpool*

AdminUpdateUserAttributes Grants permission to updates any user's standard or custom attributes Write

userpool*

AdminUserGlobalSignOut Grants permission to sign out any user from all sessions Write

userpool*

AssociateSoftwareToken Grants permission to return a unique generated shared secret key code for the user Write
AssociateWebACL [permission only] Grants permission to associate the user pool with an AWS WAF web ACL Write

userpool*

webacl*

ChangePassword Grants permission to change the password for a specified user in a user pool Write
ConfirmDevice Grants permission to confirm tracking of the device. This API call is the call that begins device tracking Write
ConfirmForgotPassword Grants permission to allow a user to enter a confirmation code to reset a forgotten password Write
ConfirmSignUp Grants permission to confirm registration of a user and handles the existing alias from a previous user Write
CreateGroup Grants permission to create new user pool groups Write

userpool*

CreateIdentityProvider Grants permission to add identity providers to user pools Write

userpool*

CreateResourceServer Grants permission to create and configure scopes for OAuth 2.0 resource servers Write

userpool*

CreateUserImportJob Grants permission to create user CSV import jobs Write

userpool*

CreateUserPool Grants permission to create and set password policy for user pools Write

aws:RequestTag/${TagKey}

aws:TagKeys

aws:ResourceTag/${TagKey}

CreateUserPoolClient Grants permission to create user pool app clients Write

userpool*

CreateUserPoolDomain Grants permission to add user pool domains Write

userpool*

DeleteGroup Grants permission to delete any empty user pool group Write

userpool*

DeleteIdentityProvider Grants permission to delete any identity provider from user pools Write

userpool*

DeleteResourceServer Grants permission to delete any OAuth 2.0 resource server from user pools Write

userpool*

DeleteUser Grants permission to allow a user to delete one's self Write
DeleteUserAttributes Grants permission to delete the attributes for a user Write
DeleteUserPool Grants permission to delete user pools Write

userpool*

DeleteUserPoolClient Grants permission to delete any user pool app client Write

userpool*

DeleteUserPoolDomain Grants permission to delete any user pool domain Write

userpool*

DescribeIdentityProvider Grants permission to describe any user pool identity provider Read

userpool*

DescribeResourceServer Grants permission to describe any OAuth 2.0 resource server Read

userpool*

DescribeRiskConfiguration Grants permission to describe the risk configuration settings of user pools and app clients Read

userpool*

DescribeUserImportJob Grants permission to describe any user import job Read

userpool*

DescribeUserPool Grants permission to describe user pools Read

userpool*

DescribeUserPoolClient Grants permission to describe any user pool app client Read

userpool*

DescribeUserPoolDomain Grants permission to describe any user pool domain Read
DisassociateWebACL [permission only] Grants permission to disassociate the user pool with an AWS WAF web ACL Write

userpool*

ForgetDevice Grants permission to forget the specified device Write
ForgotPassword Grants permission to send a message to the end user with a confirmation code that is required to change the user's password Write
GetCSVHeader Grants permission to generate headers for a user import .csv file Read

userpool*

GetDevice Grants permission to get the device Read
GetGroup Grants permission to describe a user pool group Read

userpool*

GetIdentityProviderByIdentifier Grants permission to correlate a user pool IdP identifier to the IdP Name Read

userpool*

GetLogDeliveryConfiguration Grants permission to get the detailed activity logging configuration for a user pool Read

userpool*

GetSigningCertificate Grants permission to look up signing certificates for user pools Read

userpool*

GetUICustomization Grants permission to get UI customization information for the hosted UI of any app client Read

userpool*

GetUser Grants permission to get the user attributes and metadata for a user Read
GetUserAttributeVerificationCode Grants permission to get the user attribute verification code for the specified attribute name Read
GetUserPoolMfaConfig Grants permission to look up the MFA configuration of user pools Read

userpool*

GetWebACLForResource [permission only] Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool Read

userpool*

GlobalSignOut Grants permission to sign out users from all devices Write
InitiateAuth Grants permission to initiate the authentication flow Write
ListDevices Grants permission to list the devices List
ListGroups Grants permission to list all groups in user pools List

userpool*

ListIdentityProviders Grants permission to list all identity providers in user pools List

userpool*

ListResourceServers Grants permission to list all resource servers in user pools List

userpool*

ListResourcesForWebACL [permission only] Grants permission to list the user pools that are associated with an AWS WAF web ACL List

webacl*

ListTagsForResource Grants permission to list the tags that are assigned to an Amazon Cognito user pool List

userpool

ListUserImportJobs Grants permission to list all user import jobs List

userpool*

ListUserPoolClients Grants permission to list all app clients in user pools List

userpool*

ListUserPools Grants permission to list all user pools List
ListUsers Grants permission to list all user pool users List

userpool*

ListUsersInGroup Grants permission to list the users in any group List

userpool*

ResendConfirmationCode Grants permission to resend the confirmation (for confirmation of registration) to a specific user in the user pool Write
RespondToAuthChallenge Grants permission to respond to the authentication challenge Write
RevokeToken Grants permission to revoke all of the access tokens generated by the specified refresh token Write
SetLogDeliveryConfiguration Grants permission to set up or modify the detailed activity logging configuration of a user pool Write

userpool*

SetRiskConfiguration Grants permission to set risk configuration for user pools and app clients Write

userpool*

SetUICustomization Grants permission to customize the hosted UI for any app client Write

userpool*

SetUserMFAPreference Grants permission to set MFA preference for the user in the userpool Write
SetUserPoolMfaConfig Grants permission to set user pool MFA configuration Write

userpool*

SetUserSettings Grants permission to set the user settings like multi-factor authentication (MFA) Write
SignUp Grants permission to register the user in the specified user pool and creates a user name, password, and user attributes Write
StartUserImportJob Grants permission to start any user import job Write

userpool*

StopUserImportJob Grants permission to stop any user import job Write

userpool*

TagResource Grants permission to tag a user pool Tagging

userpool

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to untag a user pool Tagging

userpool

aws:TagKeys

UpdateAuthEventFeedback Grants permission to update the feedback for the user authentication event Write

userpool*

UpdateDeviceStatus Grants permission to update the device status Write
UpdateGroup Grants permission to update the configuration of any group Write

userpool*

UpdateIdentityProvider Grants permission to update the configuration of any user pool IdP Write

userpool*

UpdateResourceServer Grants permission to update the configuration of any OAuth 2.0 resource server Write

userpool*

UpdateUserAttributes Grants permission to allow a user to update a specific attribute (one at a time) Write
UpdateUserPool Grants permission to updates the configuration of user pools Write

userpool*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateUserPoolClient Grants permission to update any user pool client Write

userpool*

UpdateUserPoolDomain Grants permission to replace the certificate for any custom domain Write

userpool*

VerifySoftwareToken Grants permission to register a user's entered TOTP code and mark the user's software token MFA status as verified if successful Write
VerifyUserAttribute Grants permission to verify a user attribute using a one time verification code Write

Resource types defined by Amazon Cognito User Pools

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
userpool arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}

aws:ResourceTag/${TagKey}

webacl arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/webacl/${Name}/${Id}

Condition keys for Amazon Cognito User Pools

Amazon Cognito User Pools defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by a key that is present in the request ArrayOfString