Create a new user pool - Amazon Cognito
Related resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create a new user pool

With a user pool, your users can sign in to your web or mobile app through Amazon Cognito.

Create a new user pool

  1. Go to the Amazon Cognito console. If prompted, enter your Amazon credentials.

  2. Choose the Create user pool button. You might be required to select User Pools from the left navigation pane to reveal this option.

  3. In the top-right corner of the page, choose Create a user pool to start the user pool creation wizard.

  4. In Configure sign-in experience, you can choose the identity providers (IdPs) that you will use with this user pool. For more information, see Adding user pool sign-in through a third party.

    1. Under Authentication providers, for Provider types, ensure that only Cognito user pool is selected.

    2. For Cognito user pool sign-in options, choose User name. Don't select any additional User name requirements.

    3. Keep all other options as the default and choose Next.

  5. In Configure security requirements, you can choose your password policy, multi-factor authentication (MFA) requirements, and user account recovery options. For more information, see Using Amazon Cognito user pools security features.

    1. For Password policy, confirm that Password policy mode is set to Cognito defaults.

    2. Under Multi-factor authentication, for MFA enforcement, choose Optional MFA.

    3. For MFA methods, choose Authenticator apps and SMS message.

    4. For User account recovery, confirm that Enable self-service account recovery is selected, and that the user account recovery message delivery method is set to Email only.

    5. Keep all other options as the default and choose Next.

  6. In Configure sign-up experience, you can determine how new users will verify their identities when signing up as a new user, and which attributes should be required or optional during the user sign-up flow. For more information, see Managing users in your user pool.

    1. Confirm that Enable self-registration is selected. This setting opens your user pool to sign-up from anyone on the internet. This is intended for the purposes of the example application, but apply this setting with caution in production environments.

    2. Under Cognito-assisted verification and confirmation, verify that the Allow Cognito to automatically send messages to verify and confirm check box is selected.

    3. Confirm that Attributes to verify is set to Send email message, verify email address.

    4. Under Verifying attribute changes, confirm that the default options are selected: Keep original attribute value when an update is pending is selected, and Active attribute values when an update is pending is set to Email address.

    5. Under Required attributes, confirm that Required attributes based on previous selections displays email.

      Important

      For this example application, your user pool must not set phone_number as a required attribute. If phone_number is shown as a required attribute, review and update your earlier choices:

      • Optional MFA, Email only for Delivery method for user account recovery messages

      • Send email message, verify email address for Attributes to verify

    6. Keep all other options as the default and choose Next.

  7. In Configure message delivery, you can configure integration with Amazon Simple Email Service and Amazon Simple Notification Service to send email and SMS messages to your users for sign-up, account confirmation, MFA, and account recovery. For more information, see Email settings for Amazon Cognito user pools and SMS message settings for Amazon Cognito user pools.

    1. For Email provider, choose Send email with Cognito, and use the default email sender provided by Amazon Cognito. This setting for low email volume is sufficient for application testing. You can return after you verify an email address with Amazon Simple Email Service (Amazon SES) and choose Send email with Amazon SES.

    2. For SMS, select Create a new IAM role and enter an IAM role name. This creates a role that grants permissions to Amazon Cognito to send SMS messages.

    3. Keep all other options as the default and choose Next.

  8. In Integrate your app, you can name your user pool, configure the hosted UI, and create an app client. For more information, see Add an app client with the hosted UI. The example applications don't use the hosted UI.

    1. Under User pool name, enter a User pool name.

    2. Don’t select Use the Cognito hosted UI.

    3. Under Initial app client, confirm that App type is set to Public client.

    4. Under Client secret, confirm that Don’t generate a client secret is selected.

    5. Enter an App client name.

    6. Expand Advanced app client settings. Add ALLOW_USER_PASSWORD_AUTH to the list of Authentication flows.

    7. Keep all other options as the default and choose Next.

  9. Review your choices in the Review and create screen and modify any selections as needed. When you're satisfied with your user pool configuration, choose Create user pool to proceed.

  10. From the User pools page, choose your new user pool.

  11. Under User pool overview, note your User pool ID. You'll provide this string when you create your example application.

  12. Choose the App integration tab and locate the App clients and analytics section. Select your new app client. Note your Client ID.

To create a user pool

  1. Go to the Amazon Cognito console. If prompted, enter your Amazon credentials.

  2. Choose User Pools.

  3. In the top-right corner of the page, choose Create a user pool to start the user pool creation wizard.

  4. In Configure sign-in experience, choose the federated providers that you will use with this user pool. For more information, see Adding user pool sign-in through a third party.

  5. In Configure security requirements, choose your password policy, multi-factor authentication (MFA) requirements, and user account recovery options. For more information, see Using Amazon Cognito user pools security features.

  6. In Configure sign-up experience, determine how new users will verify their identities when signing up, and which attributes should be required or optional during the user sign-up flow. For more information, see Managing users in your user pool.

    Important

    If you activate user sign-up in your user pool, anyone on the internet can sign up for an account and sign into your apps. Don't enable self-registration in your user pool unless you want to open your app to public sign-up. To change this setting, update Self-service sign-up in the Sign-up experience tab of the user pool console, or update the value of AllowAdminCreateUserOnly in a CreateUserPool or UpdateUserPool API request.

    For information about security features that you can set up in your user pools, see Using Amazon Cognito user pools security features.

  7. In Configure message delivery, configure integration with Amazon Simple Email Service and Amazon Simple Notification Service to send email and SMS messages to your users for sign-up, account confirmation, MFA, and account recovery. For more information, see Email settings for Amazon Cognito user pools and SMS message settings for Amazon Cognito user pools.

  8. In Integrate your app, name your user pool, configure the hosted UI, and create an app client. For more information, see Add an app client with the hosted UI.

  9. Review your choices in the Review and create screen and modify any selections as needed. When you're satisfied with your user pool configuration, select Create user pool to proceed.

For more information on user pools, see Amazon Cognito user pools.

See also: User pool authentication flow and Using tokens with user pools.