Advanced security features including WebAuthn, risk configuration, managed login branding, logging configuration, and other specialized capabilities for Amazon Cognito User Pools.
Configure advanced security features to detect and prevent account compromise.
/**
* Set risk configuration for user pool
* Configure advanced security features and actions for suspicious activities
*/
class SetRiskConfigurationCommand {
constructor(input: SetRiskConfigurationCommandInput);
}
interface SetRiskConfigurationCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Optional client ID for client-specific configuration */
ClientId?: string;
/** Configuration for compromised credentials detection */
CompromisedCredentialsRiskConfiguration?: CompromisedCredentialsRiskConfigurationType;
/** Configuration for account takeover protection */
AccountTakeoverRiskConfiguration?: AccountTakeoverRiskConfigurationType;
/** Configuration for risk exceptions */
RiskExceptionConfiguration?: RiskExceptionConfigurationType;
}
interface CompromisedCredentialsRiskConfigurationType {
/** Actions to take when compromised credentials are detected */
Actions: CompromisedCredentialsActionsType;
/** Event filter for compromised credentials events */
EventFilter?: EventFilterType[];
}
interface CompromisedCredentialsActionsType {
/** Action to take (BLOCK or NO_ACTION) */
EventAction: CompromisedCredentialsEventActionType;
}
type CompromisedCredentialsEventActionType = "BLOCK" | "NO_ACTION";
interface AccountTakeoverRiskConfigurationType {
/** Notify configuration for account takeover events */
NotifyConfiguration?: NotifyConfigurationType;
/** Actions to take based on risk levels */
Actions: AccountTakeoverActionsType;
}
interface AccountTakeoverActionsType {
/** Action for low risk events */
LowAction?: AccountTakeoverActionType;
/** Action for medium risk events */
MediumAction?: AccountTakeoverActionType;
/** Action for high risk events */
HighAction?: AccountTakeoverActionType;
}
interface AccountTakeoverActionType {
/** Notify user of suspicious activity */
Notify: boolean;
/** Action to take (BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED, NO_ACTION) */
EventAction: AccountTakeoverEventActionType;
}
type AccountTakeoverEventActionType =
| "BLOCK"
| "MFA_IF_CONFIGURED"
| "MFA_REQUIRED"
| "NO_ACTION";
/**
* Get risk configuration for user pool
* Retrieve current advanced security settings
*/
class DescribeRiskConfigurationCommand {
constructor(input: DescribeRiskConfigurationCommandInput);
}
interface DescribeRiskConfigurationCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Optional client ID */
ClientId?: string;
}
interface DescribeRiskConfigurationCommandOutput {
/** Risk configuration details */
RiskConfiguration: RiskConfigurationType;
}Customize the appearance of Cognito hosted UI and login pages.
/**
* Create managed login branding
* Customize the appearance of hosted login pages
*/
class CreateManagedLoginBrandingCommand {
constructor(input: CreateManagedLoginBrandingCommandInput);
}
interface CreateManagedLoginBrandingCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Branding settings */
UseCognitoProvidedValues?: boolean;
/** Custom branding settings */
Settings?: Record<string, string>;
}
interface CreateManagedLoginBrandingCommandOutput {
/** The created branding configuration */
ManagedLoginBranding?: ManagedLoginBrandingType;
}
/**
* Update managed login branding
* Modify existing branding configuration
*/
class UpdateManagedLoginBrandingCommand {
constructor(input: UpdateManagedLoginBrandingCommandInput);
}
interface UpdateManagedLoginBrandingCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The managed login branding ID */
ManagedLoginBrandingId: string;
/** Updated branding settings */
Settings?: Record<string, string>;
/** Assets to update (logos, favicons, etc.) */
Assets?: AssetType[];
}
/**
* Get managed login branding details
* Retrieve branding configuration
*/
class DescribeManagedLoginBrandingCommand {
constructor(input: DescribeManagedLoginBrandingCommandInput);
}
interface DescribeManagedLoginBrandingCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The managed login branding ID */
ManagedLoginBrandingId: string;
}
/**
* Get managed login branding by client
* Retrieve client-specific branding configuration
*/
class DescribeManagedLoginBrandingByClientCommand {
constructor(input: DescribeManagedLoginBrandingByClientCommandInput);
}
interface DescribeManagedLoginBrandingByClientCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The client ID */
ClientId: string;
/** Return URL for the branding */
ReturnURL?: string;
}
/**
* Delete managed login branding
* Remove custom branding configuration
*/
class DeleteManagedLoginBrandingCommand {
constructor(input: DeleteManagedLoginBrandingCommandInput);
}
interface DeleteManagedLoginBrandingCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The managed login branding ID to delete */
ManagedLoginBrandingId: string;
}Legacy UI customization for hosted UI (replaced by Managed Login Branding).
/**
* Set UI customization for hosted UI
* Legacy method for customizing hosted UI appearance
*/
class SetUICustomizationCommand {
constructor(input: SetUICustomizationCommandInput);
}
interface SetUICustomizationCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Optional client ID for client-specific customization */
ClientId?: string;
/** Custom CSS for the hosted UI */
CSS?: string;
/** Custom logo image (base64 encoded) */
ImageFile?: Uint8Array;
}
/**
* Get UI customization settings
* Retrieve current hosted UI customization
*/
class GetUICustomizationCommand {
constructor(input: GetUICustomizationCommandInput);
}
interface GetUICustomizationCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Optional client ID */
ClientId?: string;
}Manage terms and conditions that users must accept.
/**
* Create terms and conditions
* Define legal terms that users must accept
*/
class CreateTermsCommand {
constructor(input: CreateTermsCommandInput);
}
interface CreateTermsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Terms content or reference */
TermsSource: TermsSourceType;
/** Version identifier for the terms */
Version?: string;
}
interface TermsSourceType {
/** Terms content type */
Type?: string;
/** Terms content or URL */
Content?: string;
}
/**
* Update terms and conditions
* Modify existing terms configuration
*/
class UpdateTermsCommand {
constructor(input: UpdateTermsCommandInput);
}
interface UpdateTermsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The terms ID to update */
TermsId: string;
/** Updated terms source */
TermsSource?: TermsSourceType;
/** Updated version */
Version?: string;
}
/**
* Get terms details
* Retrieve terms configuration
*/
class DescribeTermsCommand {
constructor(input: DescribeTermsCommandInput);
}
interface DescribeTermsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The terms ID */
TermsId: string;
}
/**
* List terms for user pool
* Returns all configured terms
*/
class ListTermsCommand {
constructor(input: ListTermsCommandInput);
}
interface ListTermsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Maximum number of terms to return */
MaxResults?: number;
/** Pagination token */
NextToken?: string;
}
/**
* Delete terms
* Remove terms configuration
*/
class DeleteTermsCommand {
constructor(input: DeleteTermsCommandInput);
}
interface DeleteTermsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The terms ID to delete */
TermsId: string;
}Configure log delivery to CloudWatch for user pool events.
/**
* Set log delivery configuration
* Configure CloudWatch logging for user pool events
*/
class SetLogDeliveryConfigurationCommand {
constructor(input: SetLogDeliveryConfigurationCommandInput);
}
interface SetLogDeliveryConfigurationCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Log configurations for different event sources */
LogConfigurations: LogConfigurationType[];
}
interface LogConfigurationType {
/** Log level (ERROR, WARN, INFO) */
LogLevel: LogLevelType;
/** Event source to log */
EventSource: EventSourceName;
/** CloudWatch Logs configuration */
CloudWatchLogsConfiguration?: CloudWatchLogsConfigurationType;
/** S3 configuration for log delivery */
S3Configuration?: S3ConfigurationType;
/** Firehose configuration for log delivery */
FirehoseConfiguration?: FirehoseConfigurationType;
}
type LogLevelType = "ERROR" | "WARN" | "INFO";
type EventSourceName = "userNotification" | "userAuthEvents";
interface CloudWatchLogsConfigurationType {
/** CloudWatch log group ARN */
LogGroupArn?: string;
}
/**
* Get log delivery configuration
* Retrieve current logging settings
*/
class GetLogDeliveryConfigurationCommand {
constructor(input: GetLogDeliveryConfigurationCommandInput);
}
interface GetLogDeliveryConfigurationCommandInput {
/** The user pool ID */
UserPoolId: string;
}
interface GetLogDeliveryConfigurationCommandOutput {
/** Log delivery configuration */
LogDeliveryConfiguration?: LogDeliveryConfigurationType;
}Manage SAML signing certificates for identity provider integration.
/**
* Get signing certificate
* Retrieve SAML signing certificate for identity provider
*/
class GetSigningCertificateCommand {
constructor(input: GetSigningCertificateCommandInput);
}
interface GetSigningCertificateCommandInput {
/** The user pool ID */
UserPoolId: string;
}
interface GetSigningCertificateCommandOutput {
/** The signing certificate */
Certificate?: string;
}Manage bulk user import operations for migrating users to Cognito.
/**
* Create user import job
* Set up bulk import of users from CSV file
*/
class CreateUserImportJobCommand {
constructor(input: CreateUserImportJobCommand);
}
interface CreateUserImportJobCommandInput {
/** Job name */
JobName: string;
/** The user pool ID */
UserPoolId: string;
/** CloudWatch Logs role ARN */
CloudWatchLogsRoleArn: string;
}
/**
* Start user import job
* Begin processing the import job
*/
class StartUserImportJobCommand {
constructor(input: StartUserImportJobCommandInput);
}
interface StartUserImportJobCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The job ID to start */
JobId: string;
}
/**
* Stop user import job
* Halt a running import job
*/
class StopUserImportJobCommand {
constructor(input: StopUserImportJobCommandInput);
}
interface StopUserImportJobCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The job ID to stop */
JobId: string;
}
/**
* Get CSV header for import
* Retrieve the required CSV format for user import
*/
class GetCSVHeaderCommand {
constructor(input: GetCSVHeaderCommandInput);
}
interface GetCSVHeaderCommandInput {
/** The user pool ID */
UserPoolId: string;
}
interface GetCSVHeaderCommandOutput {
/** The user pool ID */
UserPoolId?: string;
/** CSV header row */
CSVHeader?: string[];
}
/**
* List user import jobs
* Get all import jobs for a user pool
*/
class ListUserImportJobsCommand {
constructor(input: ListUserImportJobsCommandInput);
}
interface ListUserImportJobsCommandInput {
/** The user pool ID */
UserPoolId: string;
/** Maximum number of jobs to return */
MaxResults: number;
/** Pagination token */
PaginationToken?: string;
}
/**
* Describe user import job
* Get details about a specific import job
*/
class DescribeUserImportJobCommand {
constructor(input: DescribeUserImportJobCommandInput);
}
interface DescribeUserImportJobCommandInput {
/** The user pool ID */
UserPoolId: string;
/** The job ID to describe */
JobId: string;
}Advanced token operations for refresh token handling and revocation.
/**
* Revoke token
* Invalidate a refresh token and all associated tokens
*/
class RevokeTokenCommand {
constructor(input: RevokeTokenCommandInput);
}
interface RevokeTokenCommandInput {
/** The token to revoke */
Token: string;
/** The client ID */
ClientId: string;
/** The client secret (if client has one) */
ClientSecret?: string;
}
/**
* Get tokens from refresh token
* Exchange refresh token for new access and ID tokens
*/
class GetTokensFromRefreshTokenCommand {
constructor(input: GetTokensFromRefreshTokenCommandInput);
}
interface GetTokensFromRefreshTokenCommandInput {
/** The refresh token */
RefreshToken: string;
/** The client ID */
ClientId: string;
/** The client secret (if client has one) */
ClientSecret?: string;
}Advanced Features Configuration Example:
import {
CognitoIdentityProviderClient,
SetRiskConfigurationCommand,
CreateManagedLoginBrandingCommand,
SetLogDeliveryConfigurationCommand,
CreateUserImportJobCommand
} from "@aws-sdk/client-cognito-identity-provider";
const client = new CognitoIdentityProviderClient({ region: "us-east-1" });
const userPoolId = "us-east-1_example123";
// 1. Configure advanced security
await client.send(new SetRiskConfigurationCommand({
UserPoolId: userPoolId,
CompromisedCredentialsRiskConfiguration: {
Actions: {
EventAction: "BLOCK"
}
},
AccountTakeoverRiskConfiguration: {
Actions: {
LowAction: {
Notify: true,
EventAction: "NO_ACTION"
},
MediumAction: {
Notify: true,
EventAction: "MFA_IF_CONFIGURED"
},
HighAction: {
Notify: true,
EventAction: "BLOCK"
}
}
}
}));
// 2. Set up custom branding
const branding = await client.send(new CreateManagedLoginBrandingCommand({
UserPoolId: userPoolId,
Settings: {
primaryColor: "#007bff",
secondaryColor: "#6c757d",
logoUrl: "https://myapp.com/logo.png",
backgroundImageUrl: "https://myapp.com/background.jpg"
}
}));
// 3. Configure logging
await client.send(new SetLogDeliveryConfigurationCommand({
UserPoolId: userPoolId,
LogConfigurations: [
{
LogLevel: "ERROR",
EventSource: "userAuthEvents",
CloudWatchLogsConfiguration: {
LogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/cognito/userpools"
}
},
{
LogLevel: "WARN",
EventSource: "userNotification",
CloudWatchLogsConfiguration: {
LogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/cognito/notifications"
}
}
]
}));
// 4. Set up user import job
const importJob = await client.send(new CreateUserImportJobCommand({
JobName: "InitialUserMigration",
UserPoolId: userPoolId,
CloudWatchLogsRoleArn: "arn:aws:iam::123456789012:role/CognitoImportRole"
}));
console.log("Advanced features configured:");
console.log("- Advanced security enabled with risk-based actions");
console.log("- Custom branding created:", branding.ManagedLoginBranding?.ManagedLoginBrandingId);
console.log("- CloudWatch logging enabled for auth events and notifications");
console.log("- User import job created:", importJob.UserImportJob?.JobId);