/ - Amazon Cognito Identity Provider

Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.

To activate Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns keyAdvancedSecurityMode.

curl --location --request POST '/' \ --header 'X-Amz-Target;' \ --header 'Content-Type: application/json' \ --data-raw '{ "UserPoolId": "string", "ClientId": "string", "CompromisedCredentialsRiskConfiguration": { "EventFilter": [], "Actions": { "EventAction": "BLOCK" } }, "AccountTakeoverRiskConfiguration": { "NotifyConfiguration": { "From": "string", "ReplyTo": "string", "SourceArn": "string", "BlockEmail": { "Subject": "string", "HtmlBody": "string", "TextBody": "string" }, "NoActionEmail": {}, "MfaEmail": {} }, "Actions": { "LowAction": { "Notify": true, "EventAction": "BLOCK" }, "MediumAction": {}, "HighAction": {} } }, "RiskExceptionConfiguration": { "BlockedIPRangeList": [], "SkippedIPRangeList": [] } }'

{ "RiskConfiguration": { "UserPoolId": "string", "ClientId": "string", "CompromisedCredentialsRiskConfiguration": { "EventFilter": [], "Actions": { "EventAction": "BLOCK" } }, "AccountTakeoverRiskConfiguration": { "NotifyConfiguration": { "From": "string", "ReplyTo": "string", "SourceArn": "string", "BlockEmail": { "Subject": "string", "HtmlBody": "string", "TextBody": "string" }, "NoActionEmail": {}, "MfaEmail": {} }, "Actions": { "LowAction": { "Notify": true, "EventAction": "BLOCK" }, "MediumAction": {}, "HighAction": {} } }, "RiskExceptionConfiguration": { "BlockedIPRangeList": [], "SkippedIPRangeList": [] }, "LastModifiedDate": "string" } }

Request

Header Params

X-Amz-Target

string

required

Body Params application/json

UserPoolId

string

required

The user pool ID.

>= 1 characters<= 55 characters

Match pattern:

[\w-]+_[0-9a-zA-Z]+

ClientId

string <password>

optional

The app client ID. If ClientId is null, then the risk configuration is mapped to userPoolId. When the client ID is null, the same risk configuration is applied to all the clients in the userPool.

Otherwise, ClientId is mapped to the client. When the client ID isn't null, the user pool configuration is overridden and the risk configuration for the client is used instead.

>= 1 characters<= 128 characters

Match pattern:

[\w+]+

CompromisedCredentialsRiskConfiguration

object

optional

The compromised credentials risk configuration.

EventFilter

array[string]

optional

Perform the action for these events. The default is to perform all events if no event filter is specified.

Allowed values:

SIGN_INPASSWORD_CHANGESIGN_UP

Actions

object

required

The compromised credentials risk configuration actions.

AccountTakeoverRiskConfiguration

object

optional

The account takeover risk configuration.

NotifyConfiguration

object

optional

The notify configuration used to construct email notifications.

Actions

object

required

Account takeover risk configuration actions.

RiskExceptionConfiguration

object

optional

The configuration to override the risk decision.

BlockedIPRangeList

array[string]

optional

Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix.

<= 200 items

SkippedIPRangeList

array[string]

optional

Risk detection isn't performed on the IP addresses in this range list. The IP range is in CIDR notation.

<= 200 items

Examples

Responses

🟢200Success

application/json

Body

RiskConfiguration

object

required

The risk configuration.

UserPoolId

string

optional

The user pool ID.

>= 1 characters<= 55 characters

Match pattern:

[\w-]+_[0-9a-zA-Z]+

ClientId

string <password>

optional

The app client ID.

>= 1 characters<= 128 characters

Match pattern:

[\w+]+

CompromisedCredentialsRiskConfiguration

object

optional

The compromised credentials risk configuration object, including the EventFilter and the EventAction.

AccountTakeoverRiskConfiguration

object

optional

The account takeover risk configuration object, including the NotifyConfiguration object and Actions to take if there is an account takeover.

RiskExceptionConfiguration

object

optional

The configuration to override the risk decision.

LastModifiedDate

string <date-time>

optional

The last modified date.

🟠480ResourceNotFoundException

🟠481InvalidParameterException

🟠482TooManyRequestsException

🟠483NotAuthorizedException

🟠484UserPoolAddOnNotEnabledException

🟠485CodeDeliveryFailureException

🟠486InvalidEmailRoleAccessPolicyException

🟠487InternalErrorException