Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . cognito-idp ]



Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings with .


If you don't provide a value for an attribute, it will be set to the default value.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


--user-pool-id <value>
[--policies <value>]
[--lambda-config <value>]
[--auto-verified-attributes <value>]
[--sms-verification-message <value>]
[--email-verification-message <value>]
[--email-verification-subject <value>]
[--verification-message-template <value>]
[--sms-authentication-message <value>]
[--mfa-configuration <value>]
[--device-configuration <value>]
[--email-configuration <value>]
[--sms-configuration <value>]
[--user-pool-tags <value>]
[--admin-create-user-config <value>]
[--user-pool-add-ons <value>]
[--account-recovery-setting <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--user-pool-id (string)

The user pool ID for the user pool you want to update.

--policies (structure)

A container with the policies you wish to update in a user pool.

Shorthand Syntax:


JSON Syntax:

  "PasswordPolicy": {
    "MinimumLength": integer,
    "RequireUppercase": true|false,
    "RequireLowercase": true|false,
    "RequireNumbers": true|false,
    "RequireSymbols": true|false,
    "TemporaryPasswordValidityDays": integer

--lambda-config (structure)

The AWS Lambda configuration information from the request to update the user pool.

Shorthand Syntax:


JSON Syntax:

  "PreSignUp": "string",
  "CustomMessage": "string",
  "PostConfirmation": "string",
  "PreAuthentication": "string",
  "PostAuthentication": "string",
  "DefineAuthChallenge": "string",
  "CreateAuthChallenge": "string",
  "VerifyAuthChallengeResponse": "string",
  "PreTokenGeneration": "string",
  "UserMigration": "string"

--auto-verified-attributes (list)

The attributes that are automatically verified when the Amazon Cognito service makes a request to update user pools.


"string" "string" ...

Where valid values are:

--sms-verification-message (string)

A container with information about the SMS verification message.

--email-verification-message (string)

The contents of the email verification message.

--email-verification-subject (string)

The subject of the email verification message.

--verification-message-template (structure)

The template for verification messages.

Shorthand Syntax:


JSON Syntax:

  "SmsMessage": "string",
  "EmailMessage": "string",
  "EmailSubject": "string",
  "EmailMessageByLink": "string",
  "EmailSubjectByLink": "string",

--sms-authentication-message (string)

The contents of the SMS authentication message.

--mfa-configuration (string)

Can be one of the following values:

  • OFF - MFA tokens are not required and cannot be specified during user registration.
  • ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.
  • OPTIONAL - Users have the option when registering to create an MFA token.

Possible values:

  • OFF
  • ON

--device-configuration (structure)

Device configuration.

Shorthand Syntax:


JSON Syntax:

  "ChallengeRequiredOnNewDevice": true|false,
  "DeviceOnlyRememberedOnUserPrompt": true|false

--email-configuration (structure)

Email configuration.

Shorthand Syntax:


JSON Syntax:

  "SourceArn": "string",
  "ReplyToEmailAddress": "string",
  "EmailSendingAccount": "COGNITO_DEFAULT"|"DEVELOPER",
  "From": "string",
  "ConfigurationSet": "string"

--sms-configuration (structure)

SMS configuration.

Shorthand Syntax:


JSON Syntax:

  "SnsCallerArn": "string",
  "ExternalId": "string"

--user-pool-tags (map)

The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Shorthand Syntax:


JSON Syntax:

{"string": "string"

--admin-create-user-config (structure)

The configuration for AdminCreateUser requests.

Shorthand Syntax:


JSON Syntax:

  "AllowAdminCreateUserOnly": true|false,
  "UnusedAccountValidityDays": integer,
  "InviteMessageTemplate": {
    "SMSMessage": "string",
    "EmailMessage": "string",
    "EmailSubject": "string"

--user-pool-add-ons (structure)

Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".

Shorthand Syntax:


JSON Syntax:

  "AdvancedSecurityMode": "OFF"|"AUDIT"|"ENFORCED"

--account-recovery-setting (structure)

Use this setting to define which verified available method a user can use to recover their password when they call ForgotPassword . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.

Shorthand Syntax:


JSON Syntax:

  "RecoveryMechanisms": [
      "Priority": integer,
      "Name": "verified_email"|"verified_phone_number"|"admin_only"

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To update a user pool

This example adds tags to a user pool.


aws cognito-idp update-user-pool --user-pool-id us-west-2_aaaaaaaaa --user-pool-tags Team=Blue,Area=West