AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Cognito User Pools

Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Cognito User Pools

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddCustomAttributes Adds additional user attributes to the user pool schema. Write

userpool*

AdminAddUserToGroup Adds the specified user to the specified group. Write

userpool*

AdminConfirmSignUp Confirms user registration as an admin without using a confirmation code. Works on any user. Write

userpool*

AdminCreateUser Creates a new user in the specified user pool and sends a welcome message via email or phone (SMS). Write

userpool*

AdminDeleteUser Deletes a user as an administrator. Works on any user. Write

userpool*

AdminDeleteUserAttributes Deletes the user attributes in a user pool as an administrator. Works on any user. Write

userpool*

AdminDisableProviderForUser Disables the user from signing in with the specified external (SAML or social) identity provider. Write

userpool*

AdminDisableUser Disables the specified user as an administrator. Works on any user. Write

userpool*

AdminEnableUser Enables the specified user as an administrator. Works on any user. Write

userpool*

AdminForgetDevice Forgets the device, as an administrator. Write

userpool*

AdminGetDevice Gets the device, as an administrator. Read

userpool*

AdminGetUser Gets the specified user by user name in a user pool as an administrator. Works on any user. Read

userpool*

AdminInitiateAuth Authenticates a user in a user pool as an administrator. Works on any user. Write

userpool*

AdminLinkProviderForUser Links an existing user account in a user pool (DestinationUser) to an identity from an external identity provider (SourceUser) based on a specified attribute name and value from the external identity provider. Write

userpool*

AdminListDevices Lists devices, as an administrator. List

userpool*

AdminListGroupsForUser Lists the groups that the user belongs to. List

userpool*

AdminListUserAuthEvents Lists the authentication events for the user. Read

userpool*

AdminRemoveUserFromGroup Removes the specified user from the specified group. Write

userpool*

AdminResetUserPassword Resets the specified user's password in a user pool as an administrator. Works on any user. Write

userpool*

AdminRespondToAuthChallenge Responds to an authentication challenge, as an administrator. Write

userpool*

AdminSetUserMFAPreference Sets MFA preference for the user in the userpool Write

userpool*

AdminSetUserSettings Sets all the user settings for a specified user name. Works on any user. Write

userpool*

AdminUpdateAuthEventFeedback Updates the feedback for the user authentication event Write

userpool*

AdminUpdateDeviceStatus Updates the device status as an administrator. Write

userpool*

AdminUpdateUserAttributes Updates the specified user's attributes, including developer attributes, as an administrator. Write

userpool*

AdminUserGlobalSignOut Signs out users from all devices, as an administrator. Write

userpool*

AssociateSoftwareToken Returns a unique generated shared secret key code for the user account. Write

userpool*

ChangePassword Changes the password for a specified user in a user pool. Write

userpool*

ConfirmDevice Confirms tracking of the device. This API call is the call that begins device tracking. Write

userpool*

ConfirmForgotPassword Allows a user to enter a confirmation code to reset a forgotten password. Write

userpool*

ConfirmSignUp Confirms registration of a user and handles the existing alias from a previous user. Write

userpool*

CreateGroup Creates a new group in the specified user pool. Write

userpool*

CreateIdentityProvider Creates an identity provider for a user pool. Write

userpool*

CreateResourceServer Creates a new OAuth2.0 resource server and defines custom scopes in it. Write

userpool*

CreateUserImportJob Creates the user import job. Write

userpool*

CreateUserPool Creates a new Amazon Cognito user pool and sets the password policy for the pool. Write

userpool*

CreateUserPoolClient Creates the user pool client. Write

userpool*

CreateUserPoolDomain Creates a new domain for a user pool. Write

userpool*

DeleteGroup Deletes a group. Currently only groups with no members can be deleted. Write

userpool*

DeleteIdentityProvider Deletes an identity provider for a user pool. Write

userpool*

DeleteResourceServer Deletes a resource server. Write

userpool*

DeleteUser Allows a user to delete one's self. Write

userpool*

DeleteUserAttributes Deletes the attributes for a user. Write

userpool*

DeleteUserPool Deletes the specified Amazon Cognito user pool. Write

userpool*

DeleteUserPoolClient Allows the developer to delete the user pool client. Write

userpool*

DeleteUserPoolDomain Deletes a domain for a user pool. Write

userpool*

DescribeIdentityProvider Gets information about a specific identity provider. Read

userpool*

DescribeResourceServer Describes a resource server. Read

userpool*

DescribeRiskConfiguration Describes the risk configuration setting for the userpool / userpool client Read

userpool*

DescribeUserImportJob Describes the user import job. Read

userpool*

DescribeUserPool Returns the configuration information and metadata of the specified user pool. Read

userpool*

DescribeUserPoolClient Client method for returning the configuration information and metadata of the specified user pool client. Read

userpool*

DescribeUserPoolDomain Gets information about a domain. Read

userpool*

ForgetDevice Forgets the specified device. Write

userpool*

ForgotPassword Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. Write

userpool*

GetCSVHeader Gets the header information for the .csv file to be used as input for the user import job. Read

userpool*

GetDevice Gets the device. Read

userpool*

GetGroup Gets a group. Read

userpool*

GetIdentityProviderByIdentifier Gets the specified identity provider. Read

userpool*

GetSigningCertificate Returns the signing certificate. Read

userpool*

GetUICustomization Gets the UI Customization information for a particular app client's app UI, if there is something set. Read

userpool*

GetUser Gets the user attributes and metadata for a user. Read

userpool*

GetUserAttributeVerificationCode Gets the user attribute verification code for the specified attribute name. Read

userpool*

GetUserPoolMfaConfig Gets the MFA configuration for the userpool Read

userpool*

GlobalSignOut Signs out users from all devices.. Write

userpool*

InitiateAuth Initiates the authentication flow. Write

userpool*

ListDevices Lists the devices. List

userpool*

ListGroups Lists the groups associated with a user pool. List

userpool*

ListIdentityProviders Lists information about all identity providers for a user pool. List

userpool*

ListResourceServers Lists the resource servers for a user pool. List

userpool*

ListUserImportJobs Lists the user import jobs.. List

userpool*

ListUserPoolClients Lists the clients that have been created for the specified user pool. List

userpool*

ListUserPools Lists the user pools associated with an AWS account. List
ListUsers Lists the users in the Amazon Cognito user pool. List

userpool*

ListUsersInGroup Lists the users in the specified group. List

userpool*

ResendConfirmationCode Resends the confirmation (for confirmation of registration) to a specific user in the user pool. Write

userpool*

RespondToAuthChallenge Responds to the authentication challenge. Write

userpool*

SetRiskConfiguration sets the risk configuration setting for the userpool / userpool client Write

userpool*

SetUICustomization Sets the UI customization information for a user pool's built-in app UI. Write

userpool*

SetUserMFAPreference Sets MFA preference for the user in the userpool Write

userpool*

SetUserPoolMfaConfig Sets the MFA configuration for the userpool Write

userpool*

SetUserSettings Sets the user settings like multi-factor authentication (MFA). Write

userpool*

SignUp Registers the user in the specified user pool and creates a user name, password, and user attributes. Write

userpool*

StartUserImportJob Starts the user import. Write

userpool*

StopUserImportJob Stops the user import job. Write

userpool*

UpdateAuthEventFeedback Updates the feedback for the user authentication event Write

userpool*

UpdateDeviceStatus Updates the device status. Write

userpool*

UpdateGroup Updates the specified group with the specified attributes. Write

userpool*

UpdateIdentityProvider Updates identity provider information for a user pool. Write

userpool*

UpdateResourceServer Updates the name and scopes of resource server. Write

userpool*

UpdateUserAttributes Allows a user to update a specific attribute (one at a time). Write

userpool*

UpdateUserPool Updates the specified user pool with the specified attributes. Write

userpool*

UpdateUserPoolClient Allows the developer to update the specified user pool client and password policy. Write

userpool*

VerifySoftwareToken Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful. Write

userpool*

VerifyUserAttribute Verifies a user attribute using a one time verification code. Write

userpool*

Resources Defined by Cognito User Pools

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
userpool arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}

Condition Keys for Amazon Cognito User Pools

Cognito User Pools has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.