Skip to content

API Reference

Constructs

UserIdentity

Creates a UserPool and Identity Pool with sane defaults configured intended for usage from a web client.

Initializers 

import software.aws.pdk.identity.UserIdentity;

UserIdentity.Builder.create(Construct scope, java.lang.String id)
//  .allowSignup(java.lang.Boolean)
//  .identityPoolOptions(IdentityPoolProps)
//  .userPool(UserPool)
    .build();
Name Type Description
scope software.constructs.Construct No description.
id java.lang.String No description.
allowSignup java.lang.Boolean Allow self sign up.
identityPoolOptions software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPoolProps Configuration for the Identity Pool.
userPool software.amazon.awscdk.services.cognito.UserPool User provided Cognito UserPool.
scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
allowSignupOptional
  • Type: java.lang.Boolean
  • Default: false

Allow self sign up.

identityPoolOptionsOptional
  • Type: software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPoolProps

Configuration for the Identity Pool.

userPoolOptional
  • Type: software.amazon.awscdk.services.cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.

Methods

Name Description
toString Returns a string representation of this construct.
toString 
public java.lang.String toString()

Returns a string representation of this construct.

Static Functions

Name Description
isConstruct Checks if x is a construct.
isConstruct 
import software.aws.pdk.identity.UserIdentity;

UserIdentity.isConstruct(java.lang.Object x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: java.lang.Object

Any object.

Properties

Name Type Description
node software.constructs.Node The tree node.
identityPool software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPool No description.
userPool software.amazon.awscdk.services.cognito.UserPool No description.
userPoolClient software.amazon.awscdk.services.cognito.UserPoolClient No description.
nodeRequired 
public Node getNode();
  • Type: software.constructs.Node

The tree node.

identityPoolRequired 
public IdentityPool getIdentityPool();
  • Type: software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPool
userPoolRequired 
public UserPool getUserPool();
  • Type: software.amazon.awscdk.services.cognito.UserPool
userPoolClientRequired 
public UserPoolClient getUserPoolClient();
  • Type: software.amazon.awscdk.services.cognito.UserPoolClient

UserPoolWithMfa

Configures a UserPool with MFA across SMS/TOTP using sane defaults.

Initializers 

import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.Builder.create(Construct scope, java.lang.String id)
//  .accountRecovery(AccountRecovery)
//  .advancedSecurityMode(AdvancedSecurityMode)
//  .autoVerify(AutoVerifiedAttrs)
//  .customAttributes(java.util.Map<java.lang.String, ICustomAttribute>)
//  .customSenderKmsKey(IKey)
//  .deletionProtection(java.lang.Boolean)
//  .deviceTracking(DeviceTracking)
//  .email(UserPoolEmail)
//  .enableSmsRole(java.lang.Boolean)
//  .keepOriginal(KeepOriginalAttrs)
//  .lambdaTriggers(UserPoolTriggers)
//  .mfa(Mfa)
//  .mfaMessage(java.lang.String)
//  .mfaSecondFactor(MfaSecondFactor)
//  .passwordPolicy(PasswordPolicy)
//  .removalPolicy(RemovalPolicy)
//  .selfSignUpEnabled(java.lang.Boolean)
//  .signInAliases(SignInAliases)
//  .signInCaseSensitive(java.lang.Boolean)
//  .smsRole(IRole)
//  .smsRoleExternalId(java.lang.String)
//  .snsRegion(java.lang.String)
//  .standardAttributes(StandardAttributes)
//  .userInvitation(UserInvitationConfig)
//  .userPoolName(java.lang.String)
//  .userVerification(UserVerificationConfig)
    .build();
Name Type Description
scope software.constructs.Construct No description.
id java.lang.String No description.
accountRecovery software.amazon.awscdk.services.cognito.AccountRecovery How will a user be able to recover their account?
advancedSecurityMode software.amazon.awscdk.services.cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
autoVerify software.amazon.awscdk.services.cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
customAttributes java.util.Map Define a set of custom attributes that can be configured for each user in the user pool.
customSenderKmsKey software.amazon.awscdk.services.kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletionProtection java.lang.Boolean Indicates whether the user pool should have deletion protection enabled.
deviceTracking software.amazon.awscdk.services.cognito.DeviceTracking Device tracking settings.
email software.amazon.awscdk.services.cognito.UserPoolEmail Email settings for a user pool.
enableSmsRole java.lang.Boolean Setting this would explicitly enable or disable SMS role creation.
keepOriginal software.amazon.awscdk.services.cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambdaTriggers software.amazon.awscdk.services.cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa software.amazon.awscdk.services.cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfaMessage java.lang.String The SMS message template sent during MFA verification.
mfaSecondFactor software.amazon.awscdk.services.cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
passwordPolicy software.amazon.awscdk.services.cognito.PasswordPolicy Password policy for this user pool.
removalPolicy software.amazon.awscdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
selfSignUpEnabled java.lang.Boolean Whether self sign-up should be enabled.
signInAliases software.amazon.awscdk.services.cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
signInCaseSensitive java.lang.Boolean Whether sign-in aliases should be evaluated with case sensitivity.
smsRole software.amazon.awscdk.services.iam.IRole The IAM role that Cognito will assume while sending SMS messages.
smsRoleExternalId java.lang.String The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
snsRegion java.lang.String The region to integrate with SNS to send SMS messages.
standardAttributes software.amazon.awscdk.services.cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
userInvitation software.amazon.awscdk.services.cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
userPoolName java.lang.String Name of the user pool.
userVerification software.amazon.awscdk.services.cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.
scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
accountRecoveryOptional
  • Type: software.amazon.awscdk.services.cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

advancedSecurityModeOptional
  • Type: software.amazon.awscdk.services.cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.

autoVerifyOptional
  • Type: software.amazon.awscdk.services.cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

customAttributesOptional
  • Type: java.util.Map
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

customSenderKmsKeyOptional
  • Type: software.amazon.awscdk.services.kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

deletionProtectionOptional
  • Type: java.lang.Boolean
  • Default: false

Indicates whether the user pool should have deletion protection enabled.

deviceTrackingOptional
  • Type: software.amazon.awscdk.services.cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.

emailOptional
  • Type: software.amazon.awscdk.services.cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.

enableSmsRoleOptional
  • Type: java.lang.Boolean
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

keepOriginalOptional
  • Type: software.amazon.awscdk.services.cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

lambdaTriggersOptional
  • Type: software.amazon.awscdk.services.cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

mfaOptional
  • Type: software.amazon.awscdk.services.cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

mfaMessageOptional
  • Type: java.lang.String
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

mfaSecondFactorOptional
  • Type: software.amazon.awscdk.services.cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

passwordPolicyOptional
  • Type: software.amazon.awscdk.services.cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

removalPolicyOptional
  • Type: software.amazon.awscdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

selfSignUpEnabledOptional
  • Type: java.lang.Boolean
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

signInAliasesOptional
  • Type: software.amazon.awscdk.services.cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

signInCaseSensitiveOptional
  • Type: java.lang.Boolean
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

smsRoleOptional
  • Type: software.amazon.awscdk.services.iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

smsRoleExternalIdOptional
  • Type: java.lang.String
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

snsRegionOptional

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

standardAttributesOptional
  • Type: software.amazon.awscdk.services.cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

userInvitationOptional
  • Type: software.amazon.awscdk.services.cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

userPoolNameOptional
  • Type: java.lang.String
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

userVerificationOptional
  • Type: software.amazon.awscdk.services.cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Methods

Name Description
toString Returns a string representation of this construct.
applyRemovalPolicy Apply the given removal policy to this resource.
addClient Add a new app client to this user pool.
addDomain Associate a domain to this user pool.
addResourceServer Add a new resource server to this user pool.
addTrigger Add a lambda trigger to a user pool operation.
grant Adds an IAM policy statement associated with this user pool to an IAM principal's policy.
registerIdentityProvider Register an identity provider with this user pool.
toString 
public java.lang.String toString()

Returns a string representation of this construct.

applyRemovalPolicy 
public void applyRemovalPolicy(RemovalPolicy policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

policyRequired
  • Type: software.amazon.awscdk.RemovalPolicy
addClient 
public UserPoolClient addClient(java.lang.String id)
public UserPoolClient addClient(java.lang.String id, UserPoolClientOptions options)

Add a new app client to this user pool.

idRequired
  • Type: java.lang.String
optionsOptional
  • Type: software.amazon.awscdk.services.cognito.UserPoolClientOptions
addDomain 
public UserPoolDomain addDomain(java.lang.String id, UserPoolDomainOptions options)

Associate a domain to this user pool.

idRequired
  • Type: java.lang.String
optionsRequired
  • Type: software.amazon.awscdk.services.cognito.UserPoolDomainOptions
addResourceServer 
public UserPoolResourceServer addResourceServer(java.lang.String id, UserPoolResourceServerOptions options)

Add a new resource server to this user pool.

idRequired
  • Type: java.lang.String
optionsRequired
  • Type: software.amazon.awscdk.services.cognito.UserPoolResourceServerOptions
addTrigger 
public void addTrigger(UserPoolOperation operation, IFunction fn)
public void addTrigger(UserPoolOperation operation, IFunction fn, LambdaVersion lambdaVersion)

Add a lambda trigger to a user pool operation.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

operationRequired
  • Type: software.amazon.awscdk.services.cognito.UserPoolOperation
fnRequired
  • Type: software.amazon.awscdk.services.lambda.IFunction
lambdaVersionOptional
  • Type: software.amazon.awscdk.services.cognito.LambdaVersion
grant 
public Grant grant(IGrantable grantee, java.lang.String actions)

Adds an IAM policy statement associated with this user pool to an IAM principal's policy.

granteeRequired
  • Type: software.amazon.awscdk.services.iam.IGrantable
actionsRequired
  • Type: java.lang.String
registerIdentityProvider 
public void registerIdentityProvider(IUserPoolIdentityProvider provider)

Register an identity provider with this user pool.

providerRequired
  • Type: software.amazon.awscdk.services.cognito.IUserPoolIdentityProvider

Static Functions

Name Description
isConstruct Checks if x is a construct.
isOwnedResource Returns true if the construct was created by CDK, and false otherwise.
isResource Check whether the given construct is a Resource.
fromUserPoolArn Import an existing user pool based on its ARN.
fromUserPoolId Import an existing user pool based on its id.
isConstruct 
import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.isConstruct(java.lang.Object x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: java.lang.Object

Any object.

isOwnedResource 
import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.isOwnedResource(IConstruct construct)

Returns true if the construct was created by CDK, and false otherwise.

constructRequired
  • Type: software.constructs.IConstruct
isResource 
import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.isResource(IConstruct construct)

Check whether the given construct is a Resource.

constructRequired
  • Type: software.constructs.IConstruct
fromUserPoolArn 
import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.fromUserPoolArn(Construct scope, java.lang.String id, java.lang.String userPoolArn)

Import an existing user pool based on its ARN.

scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
userPoolArnRequired
  • Type: java.lang.String
fromUserPoolId 
import software.aws.pdk.identity.UserPoolWithMfa;

UserPoolWithMfa.fromUserPoolId(Construct scope, java.lang.String id, java.lang.String userPoolId)

Import an existing user pool based on its id.

scopeRequired
  • Type: software.constructs.Construct
idRequired
  • Type: java.lang.String
userPoolIdRequired
  • Type: java.lang.String

Properties

Name Type Description
node software.constructs.Node The tree node.
env software.amazon.awscdk.ResourceEnvironment The environment this resource belongs to.
stack software.amazon.awscdk.Stack The stack in which this resource is defined.
identityProviders java.util.List Get all identity providers registered with this user pool.
userPoolArn java.lang.String The ARN of the user pool.
userPoolId java.lang.String The physical ID of this user pool resource.
userPoolProviderName java.lang.String User pool provider name.
userPoolProviderUrl java.lang.String User pool provider URL.
nodeRequired 
public Node getNode();
  • Type: software.constructs.Node

The tree node.

envRequired 
public ResourceEnvironment getEnv();
  • Type: software.amazon.awscdk.ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

stackRequired 
public Stack getStack();
  • Type: software.amazon.awscdk.Stack

The stack in which this resource is defined.

identityProvidersRequired 
public java.util.List<IUserPoolIdentityProvider> getIdentityProviders();
  • Type: java.util.List

Get all identity providers registered with this user pool.

userPoolArnRequired 
public java.lang.String getUserPoolArn();
  • Type: java.lang.String

The ARN of the user pool.

userPoolIdRequired 
public java.lang.String getUserPoolId();
  • Type: java.lang.String

The physical ID of this user pool resource.

userPoolProviderNameRequired 
public java.lang.String getUserPoolProviderName();
  • Type: java.lang.String

User pool provider name.

userPoolProviderUrlRequired 
public java.lang.String getUserPoolProviderUrl();
  • Type: java.lang.String

User pool provider URL.

Structs

UserIdentityProps

Properties which configures the Identity Pool.

Initializer 

import software.aws.pdk.identity.UserIdentityProps;

UserIdentityProps.builder()
//  .allowSignup(java.lang.Boolean)
//  .identityPoolOptions(IdentityPoolProps)
//  .userPool(UserPool)
    .build();

Properties

Name Type Description
allowSignup java.lang.Boolean Allow self sign up.
identityPoolOptions software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPoolProps Configuration for the Identity Pool.
userPool software.amazon.awscdk.services.cognito.UserPool User provided Cognito UserPool.
allowSignupOptional 
public java.lang.Boolean getAllowSignup();
  • Type: java.lang.Boolean
  • Default: false

Allow self sign up.

identityPoolOptionsOptional 
public IdentityPoolProps getIdentityPoolOptions();
  • Type: software.amazon.awscdk.services.cognito.identitypool.alpha.IdentityPoolProps

Configuration for the Identity Pool.

userPoolOptional 
public UserPool getUserPool();
  • Type: software.amazon.awscdk.services.cognito.UserPool
  • Default: a userpool with mfa will be created.

User provided Cognito UserPool.

UserPoolWithMfaProps

UserPoolWithMfa props.

Initializer 

import software.aws.pdk.identity.UserPoolWithMfaProps;

UserPoolWithMfaProps.builder()
//  .accountRecovery(AccountRecovery)
//  .advancedSecurityMode(AdvancedSecurityMode)
//  .autoVerify(AutoVerifiedAttrs)
//  .customAttributes(java.util.Map<java.lang.String, ICustomAttribute>)
//  .customSenderKmsKey(IKey)
//  .deletionProtection(java.lang.Boolean)
//  .deviceTracking(DeviceTracking)
//  .email(UserPoolEmail)
//  .enableSmsRole(java.lang.Boolean)
//  .keepOriginal(KeepOriginalAttrs)
//  .lambdaTriggers(UserPoolTriggers)
//  .mfa(Mfa)
//  .mfaMessage(java.lang.String)
//  .mfaSecondFactor(MfaSecondFactor)
//  .passwordPolicy(PasswordPolicy)
//  .removalPolicy(RemovalPolicy)
//  .selfSignUpEnabled(java.lang.Boolean)
//  .signInAliases(SignInAliases)
//  .signInCaseSensitive(java.lang.Boolean)
//  .smsRole(IRole)
//  .smsRoleExternalId(java.lang.String)
//  .snsRegion(java.lang.String)
//  .standardAttributes(StandardAttributes)
//  .userInvitation(UserInvitationConfig)
//  .userPoolName(java.lang.String)
//  .userVerification(UserVerificationConfig)
    .build();

Properties

Name Type Description
accountRecovery software.amazon.awscdk.services.cognito.AccountRecovery How will a user be able to recover their account?
advancedSecurityMode software.amazon.awscdk.services.cognito.AdvancedSecurityMode The user pool's Advanced Security Mode.
autoVerify software.amazon.awscdk.services.cognito.AutoVerifiedAttrs Attributes which Cognito will look to verify automatically upon user sign up.
customAttributes java.util.Map Define a set of custom attributes that can be configured for each user in the user pool.
customSenderKmsKey software.amazon.awscdk.services.kms.IKey This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
deletionProtection java.lang.Boolean Indicates whether the user pool should have deletion protection enabled.
deviceTracking software.amazon.awscdk.services.cognito.DeviceTracking Device tracking settings.
email software.amazon.awscdk.services.cognito.UserPoolEmail Email settings for a user pool.
enableSmsRole java.lang.Boolean Setting this would explicitly enable or disable SMS role creation.
keepOriginal software.amazon.awscdk.services.cognito.KeepOriginalAttrs Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
lambdaTriggers software.amazon.awscdk.services.cognito.UserPoolTriggers Lambda functions to use for supported Cognito triggers.
mfa software.amazon.awscdk.services.cognito.Mfa Configure whether users of this user pool can or are required use MFA to sign in.
mfaMessage java.lang.String The SMS message template sent during MFA verification.
mfaSecondFactor software.amazon.awscdk.services.cognito.MfaSecondFactor Configure the MFA types that users can use in this user pool.
passwordPolicy software.amazon.awscdk.services.cognito.PasswordPolicy Password policy for this user pool.
removalPolicy software.amazon.awscdk.RemovalPolicy Policy to apply when the user pool is removed from the stack.
selfSignUpEnabled java.lang.Boolean Whether self sign-up should be enabled.
signInAliases software.amazon.awscdk.services.cognito.SignInAliases Methods in which a user registers or signs in to a user pool.
signInCaseSensitive java.lang.Boolean Whether sign-in aliases should be evaluated with case sensitivity.
smsRole software.amazon.awscdk.services.iam.IRole The IAM role that Cognito will assume while sending SMS messages.
smsRoleExternalId java.lang.String The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.
snsRegion java.lang.String The region to integrate with SNS to send SMS messages.
standardAttributes software.amazon.awscdk.services.cognito.StandardAttributes The set of attributes that are required for every user in the user pool.
userInvitation software.amazon.awscdk.services.cognito.UserInvitationConfig Configuration around admins signing up users into a user pool.
userPoolName java.lang.String Name of the user pool.
userVerification software.amazon.awscdk.services.cognito.UserVerificationConfig Configuration around users signing themselves up to the user pool.
accountRecoveryOptional 
public AccountRecovery getAccountRecovery();
  • Type: software.amazon.awscdk.services.cognito.AccountRecovery
  • Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

How will a user be able to recover their account?

advancedSecurityModeOptional 
public AdvancedSecurityMode getAdvancedSecurityMode();
  • Type: software.amazon.awscdk.services.cognito.AdvancedSecurityMode
  • Default: no value

The user pool's Advanced Security Mode.

autoVerifyOptional 
public AutoVerifiedAttrs getAutoVerify();
  • Type: software.amazon.awscdk.services.cognito.AutoVerifiedAttrs
  • Default: If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

Attributes which Cognito will look to verify automatically upon user sign up.

EMAIL and PHONE are the only available options.

customAttributesOptional 
public java.util.Map<java.lang.String, ICustomAttribute> getCustomAttributes();
  • Type: java.util.Map
  • Default: No custom attributes.

Define a set of custom attributes that can be configured for each user in the user pool.

customSenderKmsKeyOptional 
public IKey getCustomSenderKmsKey();
  • Type: software.amazon.awscdk.services.kms.IKey
  • Default: no key ID configured

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html

deletionProtectionOptional 
public java.lang.Boolean getDeletionProtection();
  • Type: java.lang.Boolean
  • Default: false

Indicates whether the user pool should have deletion protection enabled.

deviceTrackingOptional 
public DeviceTracking getDeviceTracking();
  • Type: software.amazon.awscdk.services.cognito.DeviceTracking
  • Default: see defaults on each property of DeviceTracking.

Device tracking settings.

emailOptional 
public UserPoolEmail getEmail();
  • Type: software.amazon.awscdk.services.cognito.UserPoolEmail
  • Default: cognito will use the default email configuration

Email settings for a user pool.

enableSmsRoleOptional 
public java.lang.Boolean getEnableSmsRole();
  • Type: java.lang.Boolean
  • Default: CDK will determine based on other properties of the user pool if an SMS role should be created or not.

Setting this would explicitly enable or disable SMS role creation.

When left unspecified, CDK will determine based on other properties if a role is needed or not.

keepOriginalOptional 
public KeepOriginalAttrs getKeepOriginal();
  • Type: software.amazon.awscdk.services.cognito.KeepOriginalAttrs
  • Default: Nothing is kept.

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.

EMAIL and PHONE are the only available options.

lambdaTriggersOptional 
public UserPoolTriggers getLambdaTriggers();
  • Type: software.amazon.awscdk.services.cognito.UserPoolTriggers
  • Default: No Lambda triggers.

Lambda functions to use for supported Cognito triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

mfaOptional 
public Mfa getMfa();
  • Type: software.amazon.awscdk.services.cognito.Mfa
  • Default: Mfa.OFF

Configure whether users of this user pool can or are required use MFA to sign in.

mfaMessageOptional 
public java.lang.String getMfaMessage();
  • Type: java.lang.String
  • Default: 'Your authentication code is {####}.'

The SMS message template sent during MFA verification.

Use '{####}' in the template where Cognito should insert the verification code.

mfaSecondFactorOptional 
public MfaSecondFactor getMfaSecondFactor();
  • Type: software.amazon.awscdk.services.cognito.MfaSecondFactor
  • Default: { sms: true, otp: false }, if mfa is set to OPTIONAL or REQUIRED. { sms: false, otp: false }, otherwise

Configure the MFA types that users can use in this user pool.

Ignored if mfa is set to OFF.

passwordPolicyOptional 
public PasswordPolicy getPasswordPolicy();
  • Type: software.amazon.awscdk.services.cognito.PasswordPolicy
  • Default: see defaults on each property of PasswordPolicy.

Password policy for this user pool.

removalPolicyOptional 
public RemovalPolicy getRemovalPolicy();
  • Type: software.amazon.awscdk.RemovalPolicy
  • Default: RemovalPolicy.RETAIN

Policy to apply when the user pool is removed from the stack.

selfSignUpEnabledOptional 
public java.lang.Boolean getSelfSignUpEnabled();
  • Type: java.lang.Boolean
  • Default: false

Whether self sign-up should be enabled.

To configure self sign-up configuration use the userVerification property.

signInAliasesOptional 
public SignInAliases getSignInAliases();
  • Type: software.amazon.awscdk.services.cognito.SignInAliases
  • Default: { username: true }

Methods in which a user registers or signs in to a user pool.

Allows either username with aliases OR sign in with email, phone, or both.

Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

To match with 'Option 1' in the above link, with a verified email, this property should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

signInCaseSensitiveOptional 
public java.lang.Boolean getSignInCaseSensitive();
  • Type: java.lang.Boolean
  • Default: true

Whether sign-in aliases should be evaluated with case sensitivity.

For example, when this option is set to false, users will be able to sign in using either MyUsername or myusername.

smsRoleOptional 
public IRole getSmsRole();
  • Type: software.amazon.awscdk.services.iam.IRole
  • Default: a new IAM role is created.

The IAM role that Cognito will assume while sending SMS messages.

smsRoleExternalIdOptional 
public java.lang.String getSmsRoleExternalId();
  • Type: java.lang.String
  • Default: No external id will be configured.

The 'ExternalId' that Cognito service must be using when assuming the smsRole, if the role is restricted with an 'sts:ExternalId' conditional.

Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

This property will be ignored if smsRole is not specified.

snsRegionOptional 
public java.lang.String getSnsRegion();

The region to integrate with SNS to send SMS messages.

This property will do nothing if SMS configuration is not configured.

standardAttributesOptional 
public StandardAttributes getStandardAttributes();
  • Type: software.amazon.awscdk.services.cognito.StandardAttributes
  • Default: All standard attributes are optional and mutable.

The set of attributes that are required for every user in the user pool.

Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

userInvitationOptional 
public UserInvitationConfig getUserInvitation();
  • Type: software.amazon.awscdk.services.cognito.UserInvitationConfig
  • Default: see defaults in UserInvitationConfig.

Configuration around admins signing up users into a user pool.

userPoolNameOptional 
public java.lang.String getUserPoolName();
  • Type: java.lang.String
  • Default: automatically generated name by CloudFormation at deploy time.

Name of the user pool.

userVerificationOptional 
public UserVerificationConfig getUserVerification();
  • Type: software.amazon.awscdk.services.cognito.UserVerificationConfig
  • Default: see defaults in UserVerificationConfig.

Configuration around users signing themselves up to the user pool.

Enable or disable self sign-up via the selfSignUpEnabled property.

Last update: 2025-07-17