Actions, resources, and condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Cognito User Pools
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Access level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Access levels in policy summaries.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddCustomAttributes | Grants permission to add user attributes to the user pool schema | Write | |||
| AdminAddUserToGroup | Grants permission to add any user to any group | Write | |||
| AdminConfirmSignUp | Grants permission to confirm any user's registration without a confirmation code | Write | |||
| AdminCreateUser | Grants permission to create new users and send welcome messages via email or SMS | Write | |||
| AdminDeleteUser | Grants permission to delete any user | Write | |||
| AdminDeleteUserAttributes | Grants permission to delete attributes from any user | Write | |||
| AdminDisableProviderForUser | Grants permission to unlink any user pool user from a third-party identity provider (IdP) user | Write | |||
| AdminDisableUser | Grants permission to deactivate any user | Write | |||
| AdminEnableUser | Grants permission to activate any user | Write | |||
| AdminForgetDevice | Grants permission to deregister any user's devices | Write | |||
| AdminGetDevice | Grants permission to get information about any user's devices | Read | |||
| AdminGetUser | Grants permission to look up any user by user name | Read | |||
| AdminInitiateAuth | Grants permission to authenticate any user | Write | |||
| AdminLinkProviderForUser | Grants permission to link any user pool user to a third-party IdP user | Write | |||
| AdminListDevices | Grants permission to list any user's remembered devices | List | |||
| AdminListGroupsForUser | Grants permission to list the groups that any user belongs to | List | |||
| AdminListUserAuthEvents | Grants permission to lists sign-in events for any user | Read | |||
| AdminRemoveUserFromGroup | Grants permission to remove any user from any group | Write | |||
| AdminResetUserPassword | Grants permission to reset any user's password | Write | |||
| AdminRespondToAuthChallenge | Grants permission to respond to an authentication challenge during the authentication of any user | Write | |||
| AdminSetUserMFAPreference | Grants permission to set any user's preferred MFA method | Write | |||
| AdminSetUserPassword | Grants permission to set any user's password | Write | |||
| AdminSetUserSettings | Grants permission to set user settings for any user | Write | |||
| AdminUpdateAuthEventFeedback | Grants permission to update advanced security feedback for any user's authentication event | Write | |||
| AdminUpdateDeviceStatus | Grants permission to update the status of any user's remembered devices | Write | |||
| AdminUpdateUserAttributes | Grants permission to updates any user's standard or custom attributes | Write | |||
| AdminUserGlobalSignOut | Grants permission to sign out any user from all sessions | Write | |||
| AssociateSoftwareToken | Grants permission to return a unique generated shared secret key code for the user | Write | |||
| AssociateWebACL [permission only] | Grants permission to associate the user pool with an AWS WAF web ACL | Write | |||
| ChangePassword | Grants permission to change the password for a specified user in a user pool | Write | |||
| ConfirmDevice | Grants permission to confirm tracking of the device. This API call is the call that begins device tracking | Write | |||
| ConfirmForgotPassword | Grants permission to allow a user to enter a confirmation code to reset a forgotten password | Write | |||
| ConfirmSignUp | Grants permission to confirm registration of a user and handles the existing alias from a previous user | Write | |||
| CreateGroup | Grants permission to create new user pool groups | Write | |||
| CreateIdentityProvider | Grants permission to add identity providers to user pools | Write | |||
| CreateManagedLoginBranding | Grants permission to create a branding settings for managed login and associate it with an app client | Write | |||
| CreateResourceServer | Grants permission to create and configure scopes for OAuth 2.0 resource servers | Write | |||
| CreateUserImportJob | Grants permission to create user CSV import jobs | Write | |||
| CreateUserPool | Grants permission to create and set password policy for user pools | Write | |||
| CreateUserPoolClient | Grants permission to create user pool app clients | Write | |||
| CreateUserPoolDomain | Grants permission to add user pool domains | Write | |||
| DeleteGroup | Grants permission to delete any empty user pool group | Write | |||
| DeleteIdentityProvider | Grants permission to delete any identity provider from user pools | Write | |||
| DeleteManagedLoginBranding | Grants permission to delete the managed login branding style for any app client | Write | |||
| DeleteResourceServer | Grants permission to delete any OAuth 2.0 resource server from user pools | Write | |||
| DeleteUser | Grants permission to allow a user to delete one's self | Write | |||
| DeleteUserAttributes | Grants permission to delete the attributes for a user | Write | |||
| DeleteUserPool | Grants permission to delete user pools | Write | |||
| DeleteUserPoolClient | Grants permission to delete any user pool app client | Write | |||
| DeleteUserPoolDomain | Grants permission to delete any user pool domain | Write | |||
| DescribeIdentityProvider | Grants permission to describe any user pool identity provider | Read | |||
| DescribeManagedLoginBranding | Grants permission to get the detailed information about the branding style of managed login | Read | |||
| DescribeManagedLoginBrandingByClient | Grants permission to get the detailed information about the branding style of managed login associated with an appclient | Read | |||
| DescribeResourceServer | Grants permission to describe any OAuth 2.0 resource server | Read | |||
| DescribeRiskConfiguration | Grants permission to describe the risk configuration settings of user pools and app clients | Read | |||
| DescribeUserImportJob | Grants permission to describe any user import job | Read | |||
| DescribeUserPool | Grants permission to describe user pools | Read | |||
| DescribeUserPoolClient | Grants permission to describe any user pool app client | Read | |||
| DescribeUserPoolDomain | Grants permission to describe any user pool domain | Read | |||
| DisassociateWebACL [permission only] | Grants permission to disassociate the user pool with an AWS WAF web ACL | Write | |||
| ForgetDevice | Grants permission to forget the specified device | Write | |||
| ForgotPassword | Grants permission to send a message to the end user with a confirmation code that is required to change the user's password | Write | |||
| GetCSVHeader | Grants permission to generate headers for a user import .csv file | Read | |||
| GetDevice | Grants permission to get the device | Read | |||
| GetGroup | Grants permission to describe a user pool group | Read | |||
| GetIdentityProviderByIdentifier | Grants permission to correlate a user pool IdP identifier to the IdP Name | Read | |||
| GetLogDeliveryConfiguration | Grants permission to get the detailed activity logging configuration for a user pool | Read | |||
| GetSigningCertificate | Grants permission to look up signing certificates for user pools | Read | |||
| GetUICustomization | Grants permission to get UI customization information for the hosted UI of any app client | Read | |||
| GetUser | Grants permission to get the user attributes and metadata for a user | Read | |||
| GetUserAttributeVerificationCode | Grants permission to get the user attribute verification code for the specified attribute name | Read | |||
| GetUserPoolMfaConfig | Grants permission to look up the MFA configuration of user pools | Read | |||
| GetWebACLForResource [permission only] | Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool | Read | |||
| GlobalSignOut | Grants permission to sign out users from all devices | Write | |||
| InitiateAuth | Grants permission to initiate the authentication flow | Write | |||
| ListDevices | Grants permission to list the devices | List | |||
| ListGroups | Grants permission to list all groups in user pools | List | |||
| ListIdentityProviders | Grants permission to list all identity providers in user pools | List | |||
| ListResourceServers | Grants permission to list all resource servers in user pools | List | |||
| ListResourcesForWebACL [permission only] | Grants permission to list the user pools that are associated with an AWS WAF web ACL | List | |||
| ListTagsForResource | Grants permission to list the tags that are assigned to an Amazon Cognito user pool | List | |||
| ListUserImportJobs | Grants permission to list all user import jobs | List | |||
| ListUserPoolClients | Grants permission to list all app clients in user pools | List | |||
| ListUserPools | Grants permission to list all user pools | List | |||
| ListUsers | Grants permission to list all user pool users | List | |||
| ListUsersInGroup | Grants permission to list the users in any group | List | |||
| ResendConfirmationCode | Grants permission to resend the confirmation (for confirmation of registration) to a specific user in the user pool | Write | |||
| RespondToAuthChallenge | Grants permission to respond to the authentication challenge | Write | |||
| RevokeToken | Grants permission to revoke all of the access tokens generated by the specified refresh token | Write | |||
| SetLogDeliveryConfiguration | Grants permission to set up or modify the detailed activity logging configuration of a user pool | Write | |||
| SetRiskConfiguration | Grants permission to set risk configuration for user pools and app clients | Write | |||
| SetUICustomization | Grants permission to customize the hosted UI for any app client | Write | |||
| SetUserMFAPreference | Grants permission to set MFA preference for the user in the userpool | Write | |||
| SetUserPoolMfaConfig | Grants permission to set user pool MFA configuration | Write | |||
| SetUserSettings | Grants permission to set the user settings like multi-factor authentication (MFA) | Write | |||
| SignUp | Grants permission to register the user in the specified user pool and creates a user name, password, and user attributes | Write | |||
| StartUserImportJob | Grants permission to start any user import job | Write | |||
| StopUserImportJob | Grants permission to stop any user import job | Write | |||
| TagResource | Grants permission to tag a user pool | Tagging | |||
| UntagResource | Grants permission to untag a user pool | Tagging | |||
| UpdateAuthEventFeedback | Grants permission to update the feedback for the user authentication event | Write | |||
| UpdateDeviceStatus | Grants permission to update the device status | Write | |||
| UpdateGroup | Grants permission to update the configuration of any group | Write | |||
| UpdateIdentityProvider | Grants permission to update the configuration of any user pool IdP | Write | |||
| UpdateManagedLoginBranding | Grants permission to update the branding settings of a managed login | Write | |||
| UpdateResourceServer | Grants permission to update the configuration of any OAuth 2.0 resource server | Write | |||
| UpdateUserAttributes | Grants permission to allow a user to update a specific attribute (one at a time) | Write | |||
| UpdateUserPool | Grants permission to updates the configuration of user pools | Write | |||
| UpdateUserPoolClient | Grants permission to update any user pool client | Write | |||
| UpdateUserPoolDomain | Grants permission to replace the certificate for any custom domain | Write | |||
| VerifySoftwareToken | Grants permission to register a user's entered TOTP code and mark the user's software token MFA status as verified if successful | Write | |||
| VerifyUserAttribute | Grants permission to verify a user attribute using a one time verification code | Write |
Resource types defined by Amazon Cognito User Pools
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see AWS global condition context keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by a key that is present in the request | ArrayOfString |
