AWS::Cognito::UserPoolRiskConfigurationAttachment
The AWS::Cognito::UserPoolRiskConfigurationAttachment resource sets the risk
configuration that is used for Amazon Cognito advanced security features.
You can specify risk configuration for a single client (with a specific
clientId) or for all clients (by setting the clientId to
ALL). If you specify ALL, the default configuration is used for
every client that has had no risk configuration set previously. If you specify risk
configuration for a particular client, it no longer falls back to the ALL
configuration.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties" : { "AccountTakeoverRiskConfiguration" :AccountTakeoverRiskConfigurationType, "ClientId" :String, "CompromisedCredentialsRiskConfiguration" :CompromisedCredentialsRiskConfigurationType, "RiskExceptionConfiguration" :RiskExceptionConfigurationType, "UserPoolId" :String} }
YAML
Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: AccountTakeoverRiskConfiguration:AccountTakeoverRiskConfigurationTypeClientId:StringCompromisedCredentialsRiskConfiguration:CompromisedCredentialsRiskConfigurationTypeRiskExceptionConfiguration:RiskExceptionConfigurationTypeUserPoolId:String
Properties
AccountTakeoverRiskConfiguration-
The account takeover risk configuration object, including the
NotifyConfigurationobject andActionsto take if there is an account takeover.Required: No
Type: AccountTakeoverRiskConfigurationType
Update requires: No interruption
ClientId-
The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or for all clients (by setting the ClientId to
ALL).Required: Yes
Type: String
Minimum:
1Maximum:
128Pattern:
[\w+]+Update requires: Replacement
CompromisedCredentialsRiskConfiguration-
The compromised credentials risk configuration object, including the
EventFilterand theEventAction.Required: No
Type: CompromisedCredentialsRiskConfigurationType
Update requires: No interruption
RiskExceptionConfiguration-
The configuration to override the risk decision.
Required: No
Type: RiskExceptionConfigurationType
Update requires: No interruption
UserPoolId-
The user pool ID.
Required: Yes
Type: String
Minimum:
1Maximum:
55Pattern:
[\w-]+_[0-9a-zA-Z]+Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the physicalResourceId, which is
“UserPoolRiskConfigurationAttachment-UserPoolId-ClientId". For example:
{ "Ref":
“UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh”
}
For the Amazon Cognito risk configuration attachment
UserPoolRiskConfigurationAttachment-us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh,
Ref returns the name of the risk configuration attachment.
For more information about using the Reffunction, see Ref.
Examples
Creating a new risk configuration attachment for a user pool
The following example sets risk configurations in the referenced user pool and client.
JSON
{ "UserPoolRiskConfiguration":{ "Type":"AWS::Cognito::UserPoolRiskConfigurationAttachment", "Properties":{ "UserPoolId":{ "Ref":"UserPool" }, "ClientId":{ "Ref":"Client" }, "AccountTakeoverRiskConfiguration":{ "Actions":{ "HighAction":{ "EventAction":"MFA_REQUIRED", "Notify":true, }, "MediumAction":{ "EventAction":"MFA_IF_CONFIGURED", "Notify":true }, "LowAction":{ "EventAction":{ "Ref":"EventAction" }, "Notify":false } }, "NotifyConfiguration":{ "BlockEmail":{ "HtmlBody":"html body", "Subject":"Your account got blocked", "TextBody":"Your account got blocked" }, "MfaEmail":{ "HtmlBody":"html body", "Subject":"Your account needs MFA verification", "TextBody":"Your account needs MFA verification" }, "NoActionEmail":{ "HtmlBody":{ "Ref":"HtmlBody" }, "Subject":{ "Ref":"Subject" }, "TextBody":{ "Ref":"TextBody" }, }, "From":"your-from-email@amazon.com", "SourceArn":{ "Ref":"SourceArn" }, "ReplyTo":"your-reply-to@amazon.com" } }, "CompromisedCredentialsRiskConfiguration":{ "Actions":{ "EventAction":"BLOCKED" }, "EventFilter":[ { "Ref":"EventFilter" }, ] }, "RiskExceptionConfiguration":{ "BlockedIPRangeList":[ "198.0.0.1" ], "SkippedIPRangeList":[ "198.0.0.1" ] } } } }
YAML
UserPoolRiskConfiguration: Type: AWS::Cognito::UserPoolRiskConfigurationAttachment Properties: UserPoolId: !Ref UserPool ClientId: !Ref Client AccountTakeoverRiskConfiguration: Actions: HighAction: EventAction: "MFA_REQUIRED" Notify: True MediumAction: EventAction: "MFA_IF_CONFIGURED" Notify: True LowAction: EventAction: !Ref LowEventAction Notify: False NotifyConfiguration: BlockEmail: HtmlBody: "html body" Subject: "Your account got blocked" TextBody: "Your account got blocked" MfaEmail: HtmlBody: "html body" Subject: "Your account needs MFA verification" TextBody: "Your account needs MFA verification" NoActionEmail: HtmlBody: !Ref HtmlBody Subject: !Ref Subject TextBody: !Ref TextBody From: "your-from-email@amazon.com" SourceArn: !Ref SourceArn ReplyTo: "your-reply-to@amazon.com" CompromisedCredentialsRiskConfiguration: Actions: EventAction: "BLOCKED" EventFilter: - !Ref EventFilter RiskExceptionConfiguration: BlockedIPRangeList: - "198.0.0.1" SkippedIPRangeList: - "198.0.0.1"