UserPool

How will a user be able to recover their account?

Default: AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL

The user pool's Advanced Security Mode.

Default: - no value

Deprecated: Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.

Attributes which Cognito will look to verify automatically upon user sign up. EMAIL and PHONE are the only available options.

Default: - If `signInAlias` includes email and/or phone, they will be included in `autoVerifiedAttributes` by default. If absent, no attributes will be auto-verified.

Define a set of custom attributes that can be configured for each user in the user pool.

Default: - No custom attributes.

This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.

Default: - no key ID configured

The Type of Threat Protection Enabled for Custom Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS

Default: - no value

Indicates whether the user pool should have deletion protection enabled.

Default: false

Device tracking settings.

Default: - see defaults on each property of DeviceTracking.

Email settings for a user pool.

Default: - cognito will use the default email configuration

Setting this would explicitly enable or disable SMS role creation. When left unspecified, CDK will determine based on other properties if a role is needed or not.

Default: - CDK will determine based on other properties of the user pool if an SMS role should be created or not.

The user pool feature plan, or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection.

Default: - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise

Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes. EMAIL and PHONE are the only available options.

Default: - Nothing is kept.

Lambda functions to use for supported Cognito triggers.

Default: - No Lambda triggers.

Configure whether users of this user pool can or are required use MFA to sign in.

Default: Mfa.OFF

The SMS message template sent during MFA verification. Use '{####}' in the template where Cognito should insert the verification code.

Default: 'Your authentication code is {####}.'

Configure the MFA types that users can use in this user pool. Ignored if `mfa` is set to `OFF`.

Default: - { sms: true, otp: false, email: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`. { sms: false, otp: false, email:false }, otherwise

The authentication domain that passkey providers must use as a relying party (RP) in their configuration. Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain: - The user pool is configured for passkey authentication. - The user pool has a custom domain, whether or not it also has a prefix domain. - Your application performs authentication with managed login or the classic hosted UI.

Default: - No authentication domain

Your user-pool treatment for MFA with a passkey. You can override other MFA options and require passkey MFA, or you can set it as preferred. When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.

Default: - Cognito default setting is PasskeyUserVerification.PREFERRED

Password policy for this user pool.

Default: - see defaults on each property of PasswordPolicy.

Policy to apply when the user pool is removed from the stack.

Default: RemovalPolicy.RETAIN

Whether self sign-up should be enabled. To configure self sign-up configuration use the `userVerification` property.

Default: - false

Methods in which a user registers or signs in to a user pool. Allows either username with aliases OR sign in with email, phone, or both. Read the sections on usernames and aliases to learn more - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html To match with 'Option 1' in the above link, with a verified email, this property should be set to `{ username: true, email: true }`. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to `{ email: true, phone: true }`.

Default: { username: true }

Whether sign-in aliases should be evaluated with case sensitivity. For example, when this option is set to false, users will be able to sign in using either `MyUsername` or `myusername`.

Default: true

Sign-in policy for this user pool.

Default: - see defaults on each property of SignInPolicy.

The IAM role that Cognito will assume while sending SMS messages.

Default: - a new IAM role is created.

The 'ExternalId' that Cognito service must be using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional. Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html This property will be ignored if `smsRole` is not specified.

Default: - No external id will be configured.

The region to integrate with SNS to send SMS messages. This property will do nothing if SMS configuration is not configured.

Default: - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time

The set of attributes that are required for every user in the user pool. Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

Default: - All standard attributes are optional and mutable.

The Type of Threat Protection Enabled for Standard Authentication. This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS

Default: - StandardThreatProtectionMode.NO_ENFORCEMENT

Configuration around admins signing up users into a user pool.

Default: - see defaults in UserInvitationConfig.

Name of the user pool.

Default: - automatically generated name by CloudFormation at deploy time.

Configuration around users signing themselves up to the user pool. Enable or disable self sign-up via the `selfSignUpEnabled` property.

Default: - see defaults in UserVerificationConfig.