Actions, resources, and condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools (service prefix: cognito-idp
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Cognito User Pools
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AddCustomAttributes | Grants permission to add user attributes to the user pool schema | Write | |||
AdminAddUserToGroup | Grants permission to add any user to any group | Write | |||
AdminConfirmSignUp | Grants permission to confirm any user's registration without a confirmation code | Write | |||
AdminCreateUser | Grants permission to create new users and send welcome messages via email or SMS | Write | |||
AdminDeleteUser | Grants permission to delete any user | Write | |||
AdminDeleteUserAttributes | Grants permission to delete attributes from any user | Write | |||
AdminDisableProviderForUser | Grants permission to unlink any user pool user from a third-party identity provider (IdP) user | Write | |||
AdminDisableUser | Grants permission to deactivate any user | Write | |||
AdminEnableUser | Grants permission to activate any user | Write | |||
AdminForgetDevice | Grants permission to deregister any user's devices | Write | |||
AdminGetDevice | Grants permission to get information about any user's devices | Read | |||
AdminGetUser | Grants permission to look up any user by user name | Read | |||
AdminInitiateAuth | Grants permission to authenticate any user | Write | |||
AdminLinkProviderForUser | Grants permission to link any user pool user to a third-party IdP user | Write | |||
AdminListDevices | Grants permission to list any user's remembered devices | List | |||
AdminListGroupsForUser | Grants permission to list the groups that any user belongs to | List | |||
AdminListUserAuthEvents | Grants permission to lists sign-in events for any user | Read | |||
AdminRemoveUserFromGroup | Grants permission to remove any user from any group | Write | |||
AdminResetUserPassword | Grants permission to reset any user's password | Write | |||
AdminRespondToAuthChallenge | Grants permission to respond to an authentication challenge during the authentication of any user | Write | |||
AdminSetUserMFAPreference | Grants permission to set any user's preferred MFA method | Write | |||
AdminSetUserPassword | Grants permission to set any user's password | Write | |||
AdminSetUserSettings | Grants permission to set user settings for any user | Write | |||
AdminUpdateAuthEventFeedback | Grants permission to update advanced security feedback for any user's authentication event | Write | |||
AdminUpdateDeviceStatus | Grants permission to update the status of any user's remembered devices | Write | |||
AdminUpdateUserAttributes | Grants permission to updates any user's standard or custom attributes | Write | |||
AdminUserGlobalSignOut | Grants permission to sign out any user from all sessions | Write | |||
AssociateSoftwareToken | Returns a unique generated shared secret key code for the user account | Write | |||
AssociateWebACL [permission only] | Grants permission to associate the user pool with an AWS WAF web ACL | Write | |||
ChangePassword | Changes the password for a specified user in a user pool | Write | |||
ConfirmDevice | Confirms tracking of the device. This API call is the call that begins device tracking | Write | |||
ConfirmForgotPassword | Allows a user to enter a confirmation code to reset a forgotten password | Write | |||
ConfirmSignUp | Confirms registration of a user and handles the existing alias from a previous user | Write | |||
CreateGroup | Grants permission to create new user pool groups | Write | |||
CreateIdentityProvider | Grants permission to add identity providers to user pools | Write | |||
CreateResourceServer | Grants permission to create and configure scopes for OAuth 2.0 resource servers | Write | |||
CreateUserImportJob | Grants permission to create user CSV import jobs | Write | |||
CreateUserPool | Grants permission to create and set password policy for user pools | Write | |||
CreateUserPoolClient | Grants permission to create user pool app clients | Write | |||
CreateUserPoolDomain | Grants permission to add user pool domains | Write | |||
DeleteGroup | Grants permission to delete any empty user pool group | Write | |||
DeleteIdentityProvider | Grants permission to delete any identity provider from user pools | Write | |||
DeleteResourceServer | Grants permission to delete any OAuth 2.0 resource server from user pools | Write | |||
DeleteUser | Allows a user to delete one's self | Write | |||
DeleteUserAttributes | Deletes the attributes for a user | Write | |||
DeleteUserPool | Grants permission to delete user pools | Write | |||
DeleteUserPoolClient | Grants permission to delete any user pool app client | Write | |||
DeleteUserPoolDomain | Grants permission to delete any user pool domain | Write | |||
DescribeIdentityProvider | Grants permission to describe any user pool identity provider | Read | |||
DescribeResourceServer | Grants permission to describe any OAuth 2.0 resource server | Read | |||
DescribeRiskConfiguration | Grants permission to describe the risk configuration settings of user pools and app clients | Read | |||
DescribeUserImportJob | Grants permission to describe any user import job | Read | |||
DescribeUserPool | Grants permission to describe user pools | Read | |||
DescribeUserPoolClient | Grants permission to describe any user pool app client | Read | |||
DescribeUserPoolDomain | Grants permission to describe any user pool domain | Read | |||
DisassociateWebACL [permission only] | Grants permission to disassociate the user pool with an AWS WAF web ACL | Write | |||
ForgetDevice | Forgets the specified device | Write | |||
ForgotPassword | Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password | Write | |||
GetCSVHeader | Grants permission to generate headers for a user import .csv file | Read | |||
GetDevice | Gets the device | Read | |||
GetGroup | Grants permission to describe a user pool group | Read | |||
GetIdentityProviderByIdentifier | Grants permission to correlate a user pool IdP identifier to the IdP Name | Read | |||
GetSigningCertificate | Grants permission to look up signing certificates for user pools | Read | |||
GetUICustomization | Grants permission to get UI customization information for the hosted UI of any app client | Read | |||
GetUser | Gets the user attributes and metadata for a user | Read | |||
GetUserAttributeVerificationCode | Gets the user attribute verification code for the specified attribute name | Read | |||
GetUserPoolMfaConfig | Grants permission to look up the MFA configuration of user pools | Read | |||
GetWebACLForResource [permission only] | Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool | Read | |||
GlobalSignOut | Signs out users from all devices | Write | |||
InitiateAuth | Initiates the authentication flow | Write | |||
ListDevices | Lists the devices | List | |||
ListGroups | Grants permission to list all groups in user pools | List | |||
ListIdentityProviders | Grants permission to list all identity providers in user pools | List | |||
ListResourceServers | Grants permission to list all resource servers in user pools | List | |||
ListResourcesForWebACL [permission only] | Grants permission to list the user pools that are associated with an AWS WAF web ACL | List | |||
ListTagsForResource | Grants permission to list the tags that are assigned to an Amazon Cognito user pool | List | |||
ListUserImportJobs | Grants permission to list all user import jobs | List | |||
ListUserPoolClients | Grants permission to list all app clients in user pools | List | |||
ListUserPools | Grants permission to list all user pools | List | |||
ListUsers | Grants permission to list all user pool users | List | |||
ListUsersInGroup | Grants permission to list the users in any group | List | |||
ResendConfirmationCode | Resends the confirmation (for confirmation of registration) to a specific user in the user pool | Write | |||
RespondToAuthChallenge | Responds to the authentication challenge | Write | |||
RevokeToken | Revokes all of the access tokens generated by the specified refresh token | Write | |||
SetRiskConfiguration | Grants permission to set risk configuration for user pools and app clients | Write | |||
SetUICustomization | Grants permission to customize the hosted UI for any app client | Write | |||
SetUserMFAPreference | Sets MFA preference for the user in the userpool | Write | |||
SetUserPoolMfaConfig | Grants permission to set user pool MFA configuration | Write | |||
SetUserSettings | Sets the user settings like multi-factor authentication (MFA) | Write | |||
SignUp | Registers the user in the specified user pool and creates a user name, password, and user attributes | Write | |||
StartUserImportJob | Grants permission to start any user import job | Write | |||
StopUserImportJob | Grants permission to stop any user import job | Write | |||
TagResource | Grants permission to tag a user pool | Tagging | |||
UntagResource | Grants permission to untag a user pool | Tagging | |||
UpdateAuthEventFeedback | Updates the feedback for the user authentication event | Write | |||
UpdateDeviceStatus | Updates the device status | Write | |||
UpdateGroup | Grants permission to update the configuration of any group | Write | |||
UpdateIdentityProvider | Grants permission to update the configuration of any user pool IdP | Write | |||
UpdateResourceServer | Grants permission to update the configuration of any OAuth 2.0 resource server | Write | |||
UpdateUserAttributes | Allows a user to update a specific attribute (one at a time) | Write | |||
UpdateUserPool | Grants permission to updates the configuration of user pools | Write | |||
UpdateUserPoolClient | Grants permission to update any user pool client | Write | |||
UpdateUserPoolDomain | Grants permission to replace the certificate for any custom domain | Write | |||
VerifySoftwareToken | Registers a user's entered TOTP code and mark the user's software token MFA status as verified if successful | Write | |||
VerifyUserAttribute | Verifies a user attribute using a one time verification code | Write |
Resource types defined by Amazon Cognito User Pools
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
Condition keys for Amazon Cognito User Pools
Amazon Cognito User Pools defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
aws:TagKeys | Filters access by a key that is present in the request | ArrayOfString |