Service: Amazon Cognito User Pools
Short Name:
cognito-idp
ARN Format:
arn:aws:cognito-idp:${Region}:${Account}:${ResourceType}/${ResourcePath}:ARN Regex:
^arn:aws:cognito-idp:.+ReadOnlyAccess
…
AWSResourceExplorerServiceRolePolicyAction | Access | Reference | Description |
|---|---|---|---|
| cognito-idp:AdminListDevices | Docs | Grants permission to list any user's remembered devices | |
| cognito-idp:AdminListGroupsForUser | Docs | Grants permission to list the groups that any user belongs to | |
| cognito-idp:ListDevices | Docs | Grants permission to list the devices | |
| cognito-idp:ListGroups | Docs | Grants permission to list all groups in user pools | |
| cognito-idp:ListIdentityProviders | Docs | Grants permission to list all identity providers in user pools | |
| cognito-idp:ListResourceServers | Docs | Grants permission to list all resource servers in user pools | |
| cognito-idp:ListResourcesForWebACL | Docs | Grants permission to list the user pools that are associated with an AWS WAF web ACL | |
| cognito-idp:ListTagsForResource | Docs | Grants permission to list the tags that are assigned to an Amazon Cognito user pool | |
| cognito-idp:ListUserImportJobs | Docs | Grants permission to list all user import jobs | |
| cognito-idp:ListUserPoolClients | Docs | Grants permission to list all app clients in user pools | |
| cognito-idp:ListUserPools | Docs | Grants permission to list all user pools | |
| cognito-idp:ListUsers | Docs | Grants permission to list all user pool users | |
| cognito-idp:ListUsersInGroup | Docs | Grants permission to list the users in any group | |
| cognito-idp:AdminGetDevice | Docs | Grants permission to get information about any user's devices | |
| cognito-idp:AdminGetUser | Docs | Grants permission to look up any user by user name | |
| cognito-idp:AdminListUserAuthEvents | Docs | Grants permission to lists sign-in events for any user | |
| cognito-idp:DescribeIdentityProvider | Docs | Grants permission to describe any user pool identity provider | |
| cognito-idp:DescribeResourceServer | Docs | Grants permission to describe any OAuth 2.0 resource server | |
| cognito-idp:DescribeRiskConfiguration | Docs | Grants permission to describe the risk configuration settings of user pools and app clients | |
| cognito-idp:DescribeUserImportJob | Docs | Grants permission to describe any user import job | |
| cognito-idp:DescribeUserPool | Docs | Grants permission to describe user pools | |
| cognito-idp:DescribeUserPoolClient | Docs | Grants permission to describe any user pool app client | |
| cognito-idp:DescribeUserPoolDomain | Docs | Grants permission to describe any user pool domain | |
| cognito-idp:GetCSVHeader | Docs | Grants permission to generate headers for a user import .csv file | |
| cognito-idp:GetDevice | Docs | Grants permission to get the device | |
| cognito-idp:GetGroup | Docs | Grants permission to describe a user pool group | |
| cognito-idp:GetIdentityProviderByIdentifier | Docs | Grants permission to correlate a user pool IdP identifier to the IdP Name | |
| cognito-idp:GetLogDeliveryConfiguration | Docs | Grants permission to get the detailed activity logging configuration for a user pool | |
| cognito-idp:GetSigningCertificate | Docs | Grants permission to look up signing certificates for user pools | |
| cognito-idp:GetUICustomization | Docs | Grants permission to get UI customization information for the hosted UI of any app client | |
| cognito-idp:GetUser | Docs | Grants permission to get the user attributes and metadata for a user | |
| cognito-idp:GetUserAttributeVerificationCode | Docs | Grants permission to get the user attribute verification code for the specified attribute name | |
| cognito-idp:GetUserPoolMfaConfig | Docs | Grants permission to look up the MFA configuration of user pools | |
| cognito-idp:GetWebACLForResource | Docs | Grants permission to get the AWS WAF web ACL that is associated with an Amazon Cognito user pool | |
| cognito-idp:TagResource | Docs | Grants permission to tag a user pool | |
| cognito-idp:UntagResource | Docs | Grants permission to untag a user pool | |
| cognito-idp:AddCustomAttributes | Docs | Grants permission to add user attributes to the user pool schema | |
| cognito-idp:AdminAddUserToGroup | Docs | Grants permission to add any user to any group | |
| cognito-idp:AdminConfirmSignUp | Docs | Grants permission to confirm any user's registration without a confirmation code | |
| cognito-idp:AdminCreateUser | Docs | Grants permission to create new users and send welcome messages via email or SMS | |
| cognito-idp:AdminDeleteUser | Docs | Grants permission to delete any user | |
| cognito-idp:AdminDeleteUserAttributes | Docs | Grants permission to delete attributes from any user | |
| cognito-idp:AdminDisableProviderForUser | Docs | Grants permission to unlink any user pool user from a third-party identity provider (IdP) user | |
| cognito-idp:AdminDisableUser | Docs | Grants permission to deactivate any user | |
| cognito-idp:AdminEnableUser | Docs | Grants permission to activate any user | |
| cognito-idp:AdminForgetDevice | Docs | Grants permission to deregister any user's devices | |
| cognito-idp:AdminInitiateAuth | Docs | Grants permission to authenticate any user | |
| cognito-idp:AdminLinkProviderForUser | Docs | Grants permission to link any user pool user to a third-party IdP user | |
| cognito-idp:AdminRemoveUserFromGroup | Docs | Grants permission to remove any user from any group | |
| cognito-idp:AdminResetUserPassword | Docs | Grants permission to reset any user's password | |
| cognito-idp:AdminRespondToAuthChallenge | Docs | Grants permission to respond to an authentication challenge during the authentication of any user | |
| cognito-idp:AdminSetUserMFAPreference | Docs | Grants permission to set any user's preferred MFA method | |
| cognito-idp:AdminSetUserPassword | Docs | Grants permission to set any user's password | |
| cognito-idp:AdminSetUserSettings | Docs | Grants permission to set user settings for any user | |
| cognito-idp:AdminUpdateAuthEventFeedback | Docs | Grants permission to update advanced security feedback for any user's authentication event | |
| cognito-idp:AdminUpdateDeviceStatus | Docs | Grants permission to update the status of any user's remembered devices | |
| cognito-idp:AdminUpdateUserAttributes | Docs | Grants permission to updates any user's standard or custom attributes | |
| cognito-idp:AdminUserGlobalSignOut | Docs | Grants permission to sign out any user from all sessions | |
| cognito-idp:AssociateSoftwareToken | Docs | Grants permission to return a unique generated shared secret key code for the user | |
| cognito-idp:AssociateWebACL | Docs | Grants permission to associate the user pool with an AWS WAF web ACL | |
| cognito-idp:ChangePassword | Docs | Grants permission to change the password for a specified user in a user pool | |
| cognito-idp:ConfirmDevice | Docs | Grants permission to confirm tracking of the device. This API call is the call that begins device tracking | |
| cognito-idp:ConfirmForgotPassword | Docs | Grants permission to allow a user to enter a confirmation code to reset a forgotten password | |
| cognito-idp:ConfirmSignUp | Docs | Grants permission to confirm registration of a user and handles the existing alias from a previous user | |
| cognito-idp:CreateGroup | Docs | Grants permission to create new user pool groups | |
| cognito-idp:CreateIdentityProvider | Docs | Grants permission to add identity providers to user pools | |
| cognito-idp:CreateResourceServer | Docs | Grants permission to create and configure scopes for OAuth 2.0 resource servers | |
| cognito-idp:CreateUserImportJob | Docs | Grants permission to create user CSV import jobs | |
| cognito-idp:CreateUserPool | Docs | Grants permission to create and set password policy for user pools | |
| cognito-idp:CreateUserPoolClient | Docs | Grants permission to create user pool app clients | |
| cognito-idp:CreateUserPoolDomain | Docs | Grants permission to add user pool domains | |
| cognito-idp:DeleteGroup | Docs | Grants permission to delete any empty user pool group | |
| cognito-idp:DeleteIdentityProvider | Docs | Grants permission to delete any identity provider from user pools | |
| cognito-idp:DeleteResourceServer | Docs | Grants permission to delete any OAuth 2.0 resource server from user pools | |
| cognito-idp:DeleteUser | Docs | Grants permission to allow a user to delete one's self | |
| cognito-idp:DeleteUserAttributes | Docs | Grants permission to delete the attributes for a user | |
| cognito-idp:DeleteUserPool | Docs | Grants permission to delete user pools | |
| cognito-idp:DeleteUserPoolClient | Docs | Grants permission to delete any user pool app client | |
| cognito-idp:DeleteUserPoolDomain | Docs | Grants permission to delete any user pool domain | |
| cognito-idp:DisassociateWebACL | Docs | Grants permission to disassociate the user pool with an AWS WAF web ACL | |
| cognito-idp:ForgetDevice | Docs | Grants permission to forget the specified device | |
| cognito-idp:ForgotPassword | Docs | Grants permission to send a message to the end user with a confirmation code that is required to change the user's password | |
| cognito-idp:GlobalSignOut | Docs | Grants permission to sign out users from all devices | |
| cognito-idp:InitiateAuth | Docs | Grants permission to initiate the authentication flow | |
| cognito-idp:ResendConfirmationCode | Docs | Grants permission to resend the confirmation (for confirmation of registration) to a specific user in the user pool | |
| cognito-idp:RespondToAuthChallenge | Docs | Grants permission to respond to the authentication challenge | |
| cognito-idp:RevokeToken | Docs | Grants permission to revoke all of the access tokens generated by the specified refresh token | |
| cognito-idp:SetLogDeliveryConfiguration | Docs | Grants permission to set up or modify the detailed activity logging configuration of a user pool | |
| cognito-idp:SetRiskConfiguration | Docs | Grants permission to set risk configuration for user pools and app clients | |
| cognito-idp:SetUICustomization | Docs | Grants permission to customize the hosted UI for any app client | |
| cognito-idp:SetUserMFAPreference | Docs | Grants permission to set MFA preference for the user in the userpool | |
| cognito-idp:SetUserPoolMfaConfig | Docs | Grants permission to set user pool MFA configuration | |
| cognito-idp:SetUserSettings | Docs | Grants permission to set the user settings like multi-factor authentication (MFA) | |
| cognito-idp:SignUp | Docs | Grants permission to register the user in the specified user pool and creates a user name, password, and user attributes | |
| cognito-idp:StartUserImportJob | Docs | Grants permission to start any user import job | |
| cognito-idp:StopUserImportJob | Docs | Grants permission to stop any user import job | |
| cognito-idp:UpdateAuthEventFeedback | Docs | Grants permission to update the feedback for the user authentication event | |
| cognito-idp:UpdateDeviceStatus | Docs | Grants permission to update the device status | |
| cognito-idp:UpdateGroup | Docs | Grants permission to update the configuration of any group | |
| cognito-idp:UpdateIdentityProvider | Docs | Grants permission to update the configuration of any user pool IdP | |
| cognito-idp:UpdateResourceServer | Docs | Grants permission to update the configuration of any OAuth 2.0 resource server | |
| cognito-idp:UpdateUserAttributes | Docs | Grants permission to allow a user to update a specific attribute (one at a time) | |
| cognito-idp:UpdateUserPool | Docs | Grants permission to updates the configuration of user pools | |
| cognito-idp:UpdateUserPoolClient | Docs | Grants permission to update any user pool client | |
| cognito-idp:UpdateUserPoolDomain | Docs | Grants permission to replace the certificate for any custom domain | |
| cognito-idp:VerifySoftwareToken | Docs | Grants permission to register a user's entered TOTP code and mark the user's software token MFA status as verified if successful | |
| cognito-idp:VerifyUserAttribute | Docs | Grants permission to verify a user attribute using a one time verification code |
aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeys