Actions, resources, and condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Cognito User Pools
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddCustomAttributes | Adds additional user attributes to the user pool schema | Write | |||
| AdminAddUserToGroup | Adds the specified user to the specified group | Write | |||
| AdminConfirmSignUp | Confirms user registration as an admin without using a confirmation code. Works on any user | Write | |||
| AdminCreateUser | Creates a new user in the specified user pool and sends a welcome message via email or phone (SMS) | Write | |||
| AdminDeleteUser | Deletes a user as an administrator. Works on any user | Write | |||
| AdminDeleteUserAttributes | Deletes the user attributes in a user pool as an administrator. Works on any user | Write | |||
| AdminDisableProviderForUser | Disables the user from signing in with the specified external (SAML or social) identity provider | Write | |||
| AdminDisableUser | Disables the specified user as an administrator. Works on any user | Write | |||
| AdminEnableUser | Enables the specified user as an administrator. Works on any user | Write | |||
| AdminForgetDevice | Forgets the device, as an administrator | Write | |||
| AdminGetDevice | Gets the device, as an administrator | Read | |||
| AdminGetUser | Gets the specified user by user name in a user pool as an administrator. Works on any user | Read | |||
| AdminInitiateAuth | Authenticates a user in a user pool as an administrator. Works on any user | Write | |||
| AdminLinkProviderForUser | Links an existing user account in a user pool (DestinationUser) to an identity from an external identity provider (SourceUser) based on a specified attribute name and value from the external identity provider | Write | |||
| AdminListDevices | Lists devices, as an administrator | List | |||
| AdminListGroupsForUser | Lists the groups that the user belongs to | List | |||
| AdminListUserAuthEvents | Lists the authentication events for the user | Read | |||
| AdminRemoveUserFromGroup | Removes the specified user from the specified group | Write | |||
| AdminResetUserPassword | Resets the specified user's password in a user pool as an administrator. Works on any user | Write | |||
| AdminRespondToAuthChallenge | Responds to an authentication challenge, as an administrator | Write | |||
| AdminSetUserMFAPreference | Sets MFA preference for the user in the userpool | Write | |||
| AdminSetUserPassword | Sets the specified user's password in a user pool as an administrator. Works on any user | Write | |||
| AdminSetUserSettings | Sets all the user settings for a specified user name. Works on any user | Write | |||
| AdminUpdateAuthEventFeedback | Updates the feedback for the user authentication event | Write | |||
| AdminUpdateDeviceStatus | Updates the device status as an administrator | Write | |||
| AdminUpdateUserAttributes | Updates the specified user's attributes, including developer attributes, as an administrator | Write | |||
| AdminUserGlobalSignOut | Signs out users from all devices, as an administrator | Write | |||
| AssociateSoftwareToken | Returns a unique generated shared secret key code for the user account | Write | |||
| ChangePassword | Changes the password for a specified user in a user pool | Write | |||
| ConfirmDevice | Confirms tracking of the device. This API call is the call that begins device tracking | Write | |||
| ConfirmForgotPassword | Allows a user to enter a confirmation code to reset a forgotten password | Write | |||
| ConfirmSignUp | Confirms registration of a user and handles the existing alias from a previous user | Write | |||
| CreateGroup | Creates a new group in the specified user pool | Write | |||
| CreateIdentityProvider | Creates an identity provider for a user pool | Write | |||
| CreateResourceServer | Creates a new OAuth2.0 resource server and defines custom scopes in it | Write | |||
| CreateUserImportJob | Creates the user import job | Write | |||
| CreateUserPool | Creates a new Amazon Cognito user pool and sets the password policy for the pool | Write | |||
| CreateUserPoolClient | Creates the user pool client | Write | |||
| CreateUserPoolDomain | Creates a new domain for a user pool | Write | |||
| DeleteGroup | Deletes a group. Currently only groups with no members can be deleted | Write | |||
| DeleteIdentityProvider | Deletes an identity provider for a user pool | Write | |||
| DeleteResourceServer | Deletes a resource server | Write | |||
| DeleteUser | Allows a user to delete one's self | Write | |||
| DeleteUserAttributes | Deletes the attributes for a user | Write | |||
| DeleteUserPool | Deletes the specified Amazon Cognito user pool | Write | |||
| DeleteUserPoolClient | Allows the developer to delete the user pool client | Write | |||
| DeleteUserPoolDomain | Deletes a domain for a user pool | Write | |||
| DescribeIdentityProvider | Gets information about a specific identity provider | Read | |||
| DescribeResourceServer | Describes a resource server | Read | |||
| DescribeRiskConfiguration | Describes the risk configuration setting for the userpool / userpool client | Read | |||
| DescribeUserImportJob | Describes the user import job | Read | |||
| DescribeUserPool | Returns the configuration information and metadata of the specified user pool | Read | |||
| DescribeUserPoolClient | Client method for returning the configuration information and metadata of the specified user pool client | Read | |||
| DescribeUserPoolDomain | Gets information about a domain | Read | |||
| ForgetDevice | Forgets the specified device | Write | |||
| ForgotPassword | Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password | Write | |||
| GetCSVHeader | Gets the header information for the .csv file to be used as input for the user import job | Read | |||
| GetDevice | Gets the device | Read | |||
| GetGroup | Gets a group | Read | |||
| GetIdentityProviderByIdentifier | Gets the specified identity provider | Read | |||
| GetSigningCertificate | Returns the signing certificate | Read | |||
| GetUICustomization | Gets the UI Customization information for a particular app client's app UI, if there is something set | Read | |||
| GetUser | Gets the user attributes and metadata for a user | Read | |||
| GetUserAttributeVerificationCode | Gets the user attribute verification code for the specified attribute name | Read | |||
| GetUserPoolMfaConfig | Gets the MFA configuration for the userpool | Read | |||
| GlobalSignOut | Signs out users from all devices | Write | |||
| InitiateAuth | Initiates the authentication flow | Write | |||
| ListDevices | Lists the devices | List | |||
| ListGroups | Lists the groups associated with a user pool | List | |||
| ListIdentityProviders | Lists information about all identity providers for a user pool | List | |||
| ListResourceServers | Lists the resource servers for a user pool | List | |||
| ListTagsForResource | Lists the tags that are assigned to an Amazon Cognito user pool | List | |||
| ListUserImportJobs | Lists the user import jobs | List | |||
| ListUserPoolClients | Lists the clients that have been created for the specified user pool | List | |||
| ListUserPools | Lists the user pools associated with an AWS account | List | |||
| ListUsers | Lists the users in the Amazon Cognito user pool | List | |||
| ListUsersInGroup | Lists the users in the specified group | List | |||
| ResendConfirmationCode | Resends the confirmation (for confirmation of registration) to a specific user in the user pool | Write | |||
| RespondToAuthChallenge | Responds to the authentication challenge | Write | |||
| RevokeToken | Revokes all of the access tokens generated by the specified refresh token | Write | |||
| SetRiskConfiguration | sets the risk configuration setting for the userpool / userpool client | Write | |||
| SetUICustomization | Sets the UI customization information for a user pool's built-in app UI | Write | |||
| SetUserMFAPreference | Sets MFA preference for the user in the userpool | Write | |||
| SetUserPoolMfaConfig | Sets the MFA configuration for the userpool | Write | |||
| SetUserSettings | Sets the user settings like multi-factor authentication (MFA) | Write | |||
| SignUp | Registers the user in the specified user pool and creates a user name, password, and user attributes | Write | |||
| StartUserImportJob | Starts the user import | Write | |||
| StopUserImportJob | Stops the user import job | Write | |||
| TagResource | Assigns a set of tags to an Amazon Cognito user pool | Tagging | |||
| UntagResource | Removes the specified tags from an Amazon Cognito user pool | Tagging | |||
| UpdateAuthEventFeedback | Updates the feedback for the user authentication event | Write | |||
| UpdateDeviceStatus | Updates the device status | Write | |||
| UpdateGroup | Updates the specified group with the specified attributes | Write | |||
| UpdateIdentityProvider | Updates identity provider information for a user pool | Write | |||
| UpdateResourceServer | Updates the name and scopes of resource server | Write | |||
| UpdateUserAttributes | Allows a user to update a specific attribute (one at a time) | Write | |||
| UpdateUserPool | Updates the specified user pool with the specified attributes | Write | |||
| UpdateUserPoolClient | Allows the developer to update the specified user pool client and password policy | Write | |||
| UpdateUserPoolDomain | Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool | Write | |||
| VerifySoftwareToken | Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful | Write | |||
| VerifyUserAttribute | Verifies a user attribute using a one time verification code | Write |
Resource types defined by Amazon Cognito User Pools
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| userpool |
arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}
|
Condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters actions based on the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters actions based on tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by a key that is present in the request | ArrayOfString |
