Actions, resources, and condition keys for Amazon Cognito User Pools

Amazon Cognito User Pools (service prefix: cognito-idp) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Learn how to configure this service.
View a list of the API operations available for this service.
Learn how to secure this service and its resources by using IAM permission policies.

Topics

Actions defined by Amazon Cognito User Pools
Resource types defined by Amazon Cognito User Pools
Condition keys for Amazon Cognito User Pools

Actions defined by Amazon Cognito User Pools

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

For details about the columns in the following table, see Actions table.

Actions	Description	Access level	Resource types (*required)	Condition keys
AddCustomAttributes	Grants permission to add user attributes to the user pool schema	Write	userpool*
AdminAddUserToGroup	Grants permission to add any user to any group	Write	userpool*
AdminConfirmSignUp	Grants permission to confirm any user's registration without a confirmation code	Write	userpool*
AdminCreateUser	Grants permission to create new users and send welcome messages via email or SMS	Write	userpool*
AdminDeleteUser	Grants permission to delete any user	Write	userpool*
AdminDeleteUserAttributes	Grants permission to delete attributes from any user	Write	userpool*
AdminDisableProviderForUser	Grants permission to unlink any user pool user from a third-party identity provider (IdP) user	Write	userpool*
AdminDisableUser	Grants permission to deactivate any user	Write	userpool*
AdminEnableUser	Grants permission to activate any user	Write	userpool*
AdminForgetDevice	Grants permission to deregister any user's devices	Write	userpool*
AdminGetDevice	Grants permission to get information about any user's devices	Read	userpool*
AdminGetUser	Grants permission to look up any user by user name	Read	userpool*
AdminInitiateAuth	Grants permission to authenticate any user	Write	userpool*
AdminLinkProviderForUser	Grants permission to link any user pool user to a third-party IdP user	Write	userpool*
AdminListDevices	Grants permission to list any user's remembered devices	List	userpool*
AdminListGroupsForUser	Grants permission to list the groups that any user belongs to	List	userpool*
AdminListUserAuthEvents	Grants permission to lists sign-in events for any user	Read	userpool*
AdminRemoveUserFromGroup	Grants permission to remove any user from any group	Write	userpool*
AdminResetUserPassword	Grants permission to reset any user's password	Write	userpool*
AdminRespondToAuthChallenge	Grants permission to respond to an authentication challenge during the authentication of any user	Write	userpool*
AdminSetUserMFAPreference	Grants permission to set any user's preferred MFA method	Write	userpool*
AdminSetUserPassword	Grants permission to set any user's password	Write	userpool*
AdminSetUserSettings	Grants permission to set user settings for any user	Write	userpool*
AdminUpdateAuthEventFeedback	Grants permission to update advanced security feedback for any user's authentication event	Write	userpool*
AdminUpdateDeviceStatus	Grants permission to update the status of any user's remembered devices	Write	userpool*
AdminUpdateUserAttributes	Grants permission to updates any user's standard or custom attributes	Write	userpool*
AdminUserGlobalSignOut	Grants permission to sign out any user from all sessions	Write	userpool*
AssociateSoftwareToken	Returns a unique generated shared secret key code for the user account	Write
AssociateWebACL [permission only]	Grants permission to associate the user pool with an AWS WAF web ACL	Write	userpool*
AssociateWebACL [permission only]		Write	webacl*
ChangePassword	Changes the password for a specified user in a user pool	Write
ConfirmDevice	Confirms tracking of the device. This API call is the call that begins device tracking	Write
ConfirmForgotPassword	Allows a user to enter a confirmation code to reset a forgotten password	Write
ConfirmSignUp	Confirms registration of a user and handles the existing alias from a previous user	Write
CreateGroup	Grants permission to create new user pool groups	Write	userpool*
CreateIdentityProvider	Grants permission to add identity providers to user pools	Write	userpool*
CreateResourceServer	Grants permission to create and configure scopes for OAuth 2.0 resource servers	Write	userpool*
CreateUserImportJob	Grants permission to create user CSV import jobs	Write	userpool*
CreateUserPool	Grants permission to create and set password policy for user pools	Write		aws:RequestTag/${TagKey} aws:TagKeys aws:ResourceTag/${TagKey}
CreateUserPoolClient	Grants permission to create user pool app clients	Write	userpool*
CreateUserPoolDomain	Grants permission to add user pool domains	Write	userpool*
DeleteGroup	Grants permission to delete any empty user pool group	Write	userpool*
DeleteIdentityProvider	Grants permission to delete any identity provider from user pools	Write	userpool*
DeleteResourceServer	Grants permission to delete any OAuth 2.0 resource server from user pools	Write	userpool*
DeleteUser	Allows a user to delete one's self	Write
DeleteUserAttributes	Deletes the attributes for a user	Write
DeleteUserPool	Grants permission to delete user pools	Write	userpool*
DeleteUserPoolClient	Grants permission to delete any user pool app client	Write	userpool*
DeleteUserPoolDomain	Grants permission to delete any user pool domain	Write	userpool*
DescribeIdentityProvider	Grants permission to describe any user pool identity provider	Read	userpool*
DescribeResourceServer	Grants permission to describe any OAuth 2.0 resource server	Read	userpool*
DescribeRiskConfiguration	Grants permission to describe the risk configuration settings of user pools and app clients	Read	userpool*
DescribeUserImportJob	Grants permission to describe any user import job	Read	userpool*
DescribeUserPool	Grants permission to describe user pools	Read	userpool*
DescribeUserPoolClient	Grants permission to describe any user pool app client	Read	userpool*
DescribeUserPoolDomain	Grants permission to describe any user pool domain	Read
DisassociateWebACL [permission only]	Grants permission to disassociate the user pool with an AWS WAF web ACL	Write	userpool*
ForgetDevice	Forgets the specified device	Write
ForgotPassword	Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password	Write
GetCSVHeader	Grants permission to generate headers for a user import .csv file	Read	userpool*
GetDevice	Gets the device	Read
GetGroup	Grants permission to describe a user pool group	Read	userpool*
GetIdentityProviderByIdentifier	Grants permission to correlate a user pool IdP identifier to the IdP Name	Read	userpool*
GetSigningCertificate	Grants permission to look up signing certificates for user pools	Read	userpool*
GetUICustomization	Grants permission to get UI customization information for the hosted UI of any app client	Read	userpool*
GetUser	Gets the user attributes and metadata for a user	Read
GetUserAttributeVerificationCode	Gets the user attribute verification code for the specified attribute name	Read
GetUserPoolMfaConfig	Grants permission to look up the MFA configuration of user pools	Read	userpool*
GetWebACLForResource [permission only]	Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool	Read	userpool*
GlobalSignOut	Signs out users from all devices	Write
InitiateAuth	Initiates the authentication flow	Write
ListDevices	Lists the devices	List
ListGroups	Grants permission to list all groups in user pools	List	userpool*
ListIdentityProviders	Grants permission to list all identity providers in user pools	List	userpool*
ListResourceServers	Grants permission to list all resource servers in user pools	List	userpool*
ListResourcesForWebACL [permission only]	Grants permission to list the user pools that are associated with an AWS WAF web ACL	List	webacl*
ListTagsForResource	Grants permission to list the tags that are assigned to an Amazon Cognito user pool	List	userpool
ListUserImportJobs	Grants permission to list all user import jobs	List	userpool*
ListUserPoolClients	Grants permission to list all app clients in user pools	List	userpool*
ListUserPools	Grants permission to list all user pools	List
ListUsers	Grants permission to list all user pool users	List	userpool*
ListUsersInGroup	Grants permission to list the users in any group	List	userpool*
ResendConfirmationCode	Resends the confirmation (for confirmation of registration) to a specific user in the user pool	Write
RespondToAuthChallenge	Responds to the authentication challenge	Write
RevokeToken	Revokes all of the access tokens generated by the specified refresh token	Write
SetRiskConfiguration	Grants permission to set risk configuration for user pools and app clients	Write	userpool*
SetUICustomization	Grants permission to customize the hosted UI for any app client	Write	userpool*
SetUserMFAPreference	Sets MFA preference for the user in the userpool	Write
SetUserPoolMfaConfig	Grants permission to set user pool MFA configuration	Write	userpool*
SetUserSettings	Sets the user settings like multi-factor authentication (MFA)	Write
SignUp	Registers the user in the specified user pool and creates a user name, password, and user attributes	Write
StartUserImportJob	Grants permission to start any user import job	Write	userpool*
StopUserImportJob	Grants permission to stop any user import job	Write	userpool*
TagResource	Grants permission to tag a user pool	Tagging	userpool
TagResource	Grants permission to tag a user pool	Tagging		aws:RequestTag/${TagKey} aws:TagKeys
UntagResource	Grants permission to untag a user pool	Tagging	userpool
UntagResource	Grants permission to untag a user pool	Tagging		aws:TagKeys
UpdateAuthEventFeedback	Updates the feedback for the user authentication event	Write	userpool*
UpdateDeviceStatus	Updates the device status	Write
UpdateGroup	Grants permission to update the configuration of any group	Write	userpool*
UpdateIdentityProvider	Grants permission to update the configuration of any user pool IdP	Write	userpool*
UpdateResourceServer	Grants permission to update the configuration of any OAuth 2.0 resource server	Write	userpool*
UpdateUserAttributes	Allows a user to update a specific attribute (one at a time)	Write
UpdateUserPool	Grants permission to updates the configuration of user pools	Write	userpool*
UpdateUserPool		Write		aws:RequestTag/${TagKey} aws:TagKeys
UpdateUserPoolClient	Grants permission to update any user pool client	Write	userpool*
UpdateUserPoolDomain	Grants permission to replace the certificate for any custom domain	Write	userpool*
VerifySoftwareToken	Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful	Write
VerifyUserAttribute	Verifies a user attribute using a one time verification code	Write

Resource types defined by Amazon Cognito User Pools

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types	ARN	Condition keys
userpool	`arn:${Partition}:cognito-idp:${Region}:${Account}:userpool/${UserPoolId}`	aws:ResourceTag/${TagKey}
webacl	`arn:${Partition}:wafv2:${Region}:${Account}:${Scope}/webacl/${Name}/${Id}`

Condition keys for Amazon Cognito User Pools

Amazon Cognito User Pools defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys	Description	Type
aws:RequestTag/${TagKey}	Filters access by the presence of tag key-value pairs in the request	String
aws:ResourceTag/${TagKey}	Filters access by tag key-value pairs attached to the resource	String
aws:TagKeys	Filters access by a key that is present in the request	ArrayOfString

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Cognito Sync

Amazon Comprehend