CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

cognito.mddocs/security/

Amazon Cognito

Amazon Cognito provides authentication, authorization, and user management for web and mobile applications.

Package

import * as aws from "@pulumi/aws";
import * as cognito from "@pulumi/aws/cognito";

Key Resources

User Pool

Cognito user pool for user directory and authentication.

const userPool = new aws.cognito.UserPool("user-pool", {
    name: "my-user-pool",
    autoVerifiedAttributes: ["email"],
    passwordPolicy: {
        minimumLength: 8,
        requireLowercase: true,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercase: true,
    },
    schemas: [{
        name: "email",
        attributeDataType: "String",
        required: true,
        mutable: false,
    }],
});

User Pool Client

Application client for the user pool.

const userPoolClient = new aws.cognito.UserPoolClient("user-pool-client", {
    name: "my-app-client",
    userPoolId: userPool.id,
    generateSecret: false,
    explicitAuthFlows: [
        "ALLOW_USER_PASSWORD_AUTH",
        "ALLOW_REFRESH_TOKEN_AUTH",
    ],
});

Identity Pool

Cognito identity pool for federated identities and AWS credentials.

const identityPool = new aws.cognito.IdentityPool("identity-pool", {
    identityPoolName: "my-identity-pool",
    allowUnauthenticatedIdentities: false,
    cognitoIdentityProviders: [{
        clientId: userPoolClient.id,
        providerName: userPool.endpoint,
    }],
});

Common Patterns

User Pool with MFA

const userPool = new aws.cognito.UserPool("mfa-pool", {
    name: "mfa-user-pool",
    mfaConfiguration: "OPTIONAL",
    softwareTokenMfaConfiguration: {
        enabled: true,
    },
    smsConfiguration: {
        externalId: "my-external-id",
        snsCallerArn: snsRole.arn,
    },
});

User Pool with Email Verification

const userPool = new aws.cognito.UserPool("verified-pool", {
    name: "verified-user-pool",
    autoVerifiedAttributes: ["email"],
    verificationMessageTemplate: {
        defaultEmailOption: "CONFIRM_WITH_CODE",
        emailMessage: "Your verification code is {####}",
        emailSubject: "Verify your email",
    },
    emailConfiguration: {
        emailSendingAccount: "COGNITO_DEFAULT",
    },
});

Identity Pool with Roles

const authenticatedRole = new aws.iam.Role("authenticated", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Federated: "cognito-identity.amazonaws.com",
            },
            Action: "sts:AssumeRoleWithWebIdentity",
            Condition: {
                StringEquals: {
                    "cognito-identity.amazonaws.com:aud": identityPool.id,
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated",
                },
            },
        }],
    }),
});

new aws.cognito.IdentityPoolRoleAttachment("roles", {
    identityPoolId: identityPool.id,
    roles: {
        authenticated: authenticatedRole.arn,
    },
});

Key Properties

User Pool Properties

  • name - User pool name
  • autoVerifiedAttributes - Attributes verified automatically
  • mfaConfiguration - MFA setting (OFF, ON, OPTIONAL)
  • passwordPolicy - Password requirements
  • schemas - User attributes schema
  • emailConfiguration - Email sending configuration

User Pool Client Properties

  • userPoolId - User pool ID
  • name - Client name
  • generateSecret - Generate client secret
  • explicitAuthFlows - Enabled authentication flows

Identity Pool Properties

  • identityPoolName - Identity pool name
  • allowUnauthenticatedIdentities - Allow unauthenticated access
  • cognitoIdentityProviders - Cognito user pool providers

Output Properties

  • id - Resource identifier
  • arn - Resource ARN
  • endpoint - User pool endpoint

Use Cases

  • User Authentication: Sign up and sign in for web/mobile apps
  • Social Login: Integration with Facebook, Google, Apple
  • API Authorization: Secure API Gateway endpoints
  • Mobile Apps: AWS credentials for mobile SDKs
  • B2B Applications: SAML federation with enterprise identity providers

Related Services

  • API Gateway - API authorization
  • IAM - AWS permissions
  • Lambda - Custom authentication triggers

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

security

acm.md

cognito.md

guardduty.md

iam.md

kms.md

overview.md

secretsmanager.md

securityhub.md

waf.md

index.md

quickstart.md

README.md

tile.json