AWS::Cognito::UserPoolRiskConfigurationAttachment
The AWS::Cognito::UserPoolRiskConfigurationAttachment
resource sets the risk
configuration that is used for Amazon Cognito advanced security features.
You can specify risk configuration for a single client (with a specific
clientId
) or for all clients (by setting the clientId
to
ALL
). If you specify ALL
, the default configuration is used for
every client that has had no risk configuration set previously. If you specify risk
configuration for a particular client, it no longer falls back to the ALL
configuration.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties" : { "AccountTakeoverRiskConfiguration" :
AccountTakeoverRiskConfigurationType
, "ClientId" :String
, "CompromisedCredentialsRiskConfiguration" :CompromisedCredentialsRiskConfigurationType
, "RiskExceptionConfiguration" :RiskExceptionConfigurationType
, "UserPoolId" :String
} }
YAML
Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: AccountTakeoverRiskConfiguration:
AccountTakeoverRiskConfigurationType
ClientId:String
CompromisedCredentialsRiskConfiguration:CompromisedCredentialsRiskConfigurationType
RiskExceptionConfiguration:RiskExceptionConfigurationType
UserPoolId:String
Properties
AccountTakeoverRiskConfiguration
-
The account takeover risk configuration object, including the
NotifyConfiguration
object andActions
to take if there is an account takeover.Required: No
Type: AccountTakeoverRiskConfigurationType
Update requires: No interruption
ClientId
-
The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to
ALL
).Required: Yes
Type: String
Minimum:
1
Maximum:
128
Pattern:
[\w+]+
Update requires: Replacement
CompromisedCredentialsRiskConfiguration
-
The compromised credentials risk configuration object, including the
EventFilter
and theEventAction
.Required: No
Type: CompromisedCredentialsRiskConfigurationType
Update requires: No interruption
RiskExceptionConfiguration
-
The configuration to override the risk decision.
Required: No
Type: RiskExceptionConfigurationType
Update requires: No interruption
UserPoolId
-
The user pool ID.
Required: Yes
Type: String
Minimum:
1
Maximum:
55
Pattern:
[\w-]+_[0-9a-zA-Z]+
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the physicalResourceId, which is
“UserPoolRiskConfigurationAttachment-UserPoolId-ClientId". For example:
{ "Ref":
“UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh”
}
For the Amazon Cognito risk configuration attachment
UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh
,
Ref returns the name of the risk configuration attachment.
For more information about using the Ref
function, see Ref
.
Examples
Creating a new risk configuration attachment for a user pool
The following example sets risk configurations in the referenced user pool and client.
JSON
{ "UserPoolRiskConfiguration":{ "Type":"AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties":{ "UserPoolId":{ "Ref":"UserPool" }, "ClientId":{ "Ref":"Client" }, "AccountTakeoverRiskConfiguration":{ "Actions":{ "HighAction":{ "EventAction":"MFA_REQUIRED", "Notify":true, }, "MediumAction":{ "EventAction":"MFA_IF_CONFIGURED", "Notify":true }, "LowAction":{ "EventAction":{ "Ref":"EventAction" }, "Notify":false } }, "NotifyConfiguration":{ "BlockEmail":{ "HtmlBody":"html body", "Subject":"Your account got blocked", "TextBody":"Your account got blocked" }, "MfaEmail":{ "HtmlBody":"html body", "Subject":"Your account needs MFA verification", "TextBody":"Your account needs MFA verification" }, "NoActionEmail":{ "HtmlBody":{ "Ref":"HtmlBody" }, "Subject":{ "Ref":"Subject" }, "TextBody":{ "Ref":"TextBody" }, }, "From":"your-from-email@amazon.com", "SourceArn":{ "Ref":"SourceArn" }, "ReplyTo":"your-reply-to@amazon.com" } }, "CompromisedCredentialsRiskConfiguration":{ "Actions":{ "EventAction":"BLOCK" }, "EventFilter":[ { "Ref":"EventFilter" }, ] }, "RiskExceptionConfiguration":{ "BlockedIPRangeList":[ "198.0.0.1" ], "SkippedIPRangeList":[ "198.0.0.1" ] } } } }
YAML
UserPoolRiskConfiguration: Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: UserPoolId: !Ref UserPool ClientId: !Ref Client AccountTakeoverRiskConfiguration: Actions: HighAction: EventAction: "MFA_REQUIRED" Notify: True MediumAction: EventAction: "MFA_IF_CONFIGURED" Notify: True LowAction: EventAction: !Ref LowEventAction Notify: False NotifyConfiguration: BlockEmail: HtmlBody: "html body" Subject: "Your account got blocked" TextBody: "Your account got blocked" MfaEmail: HtmlBody: "html body" Subject: "Your account needs MFA verification" TextBody: "Your account needs MFA verification" NoActionEmail: HtmlBody: !Ref HtmlBody Subject: !Ref Subject TextBody: !Ref TextBody From: "your-from-email@amazon.com" SourceArn: !Ref SourceArn ReplyTo: "your-reply-to@amazon.com" CompromisedCredentialsRiskConfiguration: Actions: EventAction: "BLOCK" EventFilter: - !Ref EventFilter RiskExceptionConfiguration: BlockedIPRangeList: - "198.0.0.1" SkippedIPRangeList: - "198.0.0.1"