AWS::Cognito::UserPoolRiskConfigurationAttachment
The AWS::Cognito::UserPoolRiskConfigurationAttachment
resource sets the
risk configuration that is used for Amazon Cognito advanced security features.
You can specify risk configuration for a single client (with a specific
clientId
) or for all clients (by setting the clientId
to
ALL
). If you specify ALL
, the default configuration is used
for every client that has had no risk configuration set previously. If you specify risk
configuration for a particular client, it no longer falls back to the ALL
configuration.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties" : { "AccountTakeoverRiskConfiguration" :
AccountTakeoverRiskConfigurationType
, "ClientId" :String
, "CompromisedCredentialsRiskConfiguration" :CompromisedCredentialsRiskConfigurationType
, "RiskExceptionConfiguration" :RiskExceptionConfigurationType
, "UserPoolId" :String
} }
YAML
Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: AccountTakeoverRiskConfiguration:
AccountTakeoverRiskConfigurationType
ClientId:String
CompromisedCredentialsRiskConfiguration:CompromisedCredentialsRiskConfigurationType
RiskExceptionConfiguration:RiskExceptionConfigurationType
UserPoolId:String
Properties
AccountTakeoverRiskConfiguration
-
The settings for automated responses and notification templates for adaptive authentication with advanced security features.
Required: No
Type: AccountTakeoverRiskConfigurationType
Update requires: No interruption
ClientId
-
The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
Required: Yes
Type: String
Pattern:
[\w+]+
Minimum:
1
Maximum:
128
Update requires: Replacement
CompromisedCredentialsRiskConfiguration
-
Settings for compromised-credentials actions and authentication types with advanced security features in full-function
ENFORCED
mode.Required: No
Type: CompromisedCredentialsRiskConfigurationType
Update requires: No interruption
RiskExceptionConfiguration
-
Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
Required: No
Type: RiskExceptionConfigurationType
Update requires: No interruption
UserPoolId
-
The ID of the user pool that has the risk configuration applied.
Required: Yes
Type: String
Pattern:
[\w-]+_[0-9a-zA-Z]+
Minimum:
1
Maximum:
55
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the physicalResourceId, which is
“UserPoolRiskConfigurationAttachment-UserPoolId-ClientId". For example:
{ "Ref":
“UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh”
}
For the Amazon Cognito risk configuration attachment
UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh
,
Ref returns the name of the risk configuration attachment.
For more information about using the Ref
function, see Ref
.
Examples
Creating a new risk configuration attachment for a user pool
The following example sets risk configurations in the referenced user pool and client.
JSON
{ "UserPoolRiskConfiguration":{ "Type":"AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties":{ "UserPoolId":{ "Ref":"UserPool" }, "ClientId":{ "Ref":"Client" }, "AccountTakeoverRiskConfiguration":{ "Actions":{ "HighAction":{ "EventAction":"MFA_REQUIRED", "Notify":true, }, "MediumAction":{ "EventAction":"MFA_IF_CONFIGURED", "Notify":true }, "LowAction":{ "EventAction":{ "Ref":"EventAction" }, "Notify":false } }, "NotifyConfiguration":{ "BlockEmail":{ "HtmlBody":"html body", "Subject":"Your account got blocked", "TextBody":"Your account got blocked" }, "MfaEmail":{ "HtmlBody":"html body", "Subject":"Your account needs MFA verification", "TextBody":"Your account needs MFA verification" }, "NoActionEmail":{ "HtmlBody":{ "Ref":"HtmlBody" }, "Subject":{ "Ref":"Subject" }, "TextBody":{ "Ref":"TextBody" }, }, "From":"your-from-email@amazon.com", "SourceArn":{ "Ref":"SourceArn" }, "ReplyTo":"your-reply-to@amazon.com" } }, "CompromisedCredentialsRiskConfiguration":{ "Actions":{ "EventAction":"BLOCK" }, "EventFilter":[ { "Ref":"EventFilter" }, ] }, "RiskExceptionConfiguration":{ "BlockedIPRangeList":[ "198.0.0.1" ], "SkippedIPRangeList":[ "198.0.0.1" ] } } } }
YAML
UserPoolRiskConfiguration: Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: UserPoolId: !Ref UserPool ClientId: !Ref Client AccountTakeoverRiskConfiguration: Actions: HighAction: EventAction: "MFA_REQUIRED" Notify: True MediumAction: EventAction: "MFA_IF_CONFIGURED" Notify: True LowAction: EventAction: !Ref LowEventAction Notify: False NotifyConfiguration: BlockEmail: HtmlBody: "html body" Subject: "Your account got blocked" TextBody: "Your account got blocked" MfaEmail: HtmlBody: "html body" Subject: "Your account needs MFA verification" TextBody: "Your account needs MFA verification" NoActionEmail: HtmlBody: !Ref HtmlBody Subject: !Ref Subject TextBody: !Ref TextBody From: "your-from-email@amazon.com" SourceArn: !Ref SourceArn ReplyTo: "your-reply-to@amazon.com" CompromisedCredentialsRiskConfiguration: Actions: EventAction: "BLOCK" EventFilter: - !Ref EventFilter RiskExceptionConfiguration: BlockedIPRangeList: - "198.0.0.1" SkippedIPRangeList: - "198.0.0.1"