Resource: awsCognitoRiskConfiguration
Provides a Cognito Risk Configuration resource.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cognitoRiskConfiguration.CognitoRiskConfiguration(this, "example", {
riskExceptionConfiguration: {
blockedIpRangeList: ["10.10.10.10/32"],
},
userPoolId: "${aws_cognito_user_pool.example.id}",
});
Argument Reference
The following arguments are supported:
userPoolId- (Required) The user pool ID.clientId- (Optional) The app client ID. When the client ID is not provided, the same risk configuration is applied to all the clients in the User Pool.accountTakeoverRiskConfiguration- (Optional) The account takeover risk configuration. See details below.compromisedCredentialsRiskConfiguration- (Optional) The compromised credentials risk configuration. See details below.riskExceptionConfiguration- (Optional) The configuration to override the risk decision. See details below.
accountTakeoverRiskConfiguration
notifyConfiguration- (Required) The notify configuration used to construct email notifications. See details below.actions- (Required) Account takeover risk configuration actions. See details below.
notifyConfiguration
blockEmail- (Optional) Email template used when a detected risk event is blocked. See notify email type below.mfaEmail- (Optional) The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk. See notify email type below.noActionEmail- (Optional) The email template used when a detected risk event is allowed. See notify email type below.from- (Optional) The email address that is sending the email. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.replyTo- (Optional) The destination to which the receiver of an email should reply to.sourceArn- (Required) The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the From parameter.
notify email type
htmlBody- (Required) The email HTML body.subject- (Required) The email subject.textBody- (Required) The email text body.
actions
highAction- (Optional) Action to take for a high risk. See action block below.lowAction- (Optional) Action to take for a low risk. See action block below.mediumAction- (Optional) Action to take for a medium risk. See action block below.
action
eventAction- (Required) The action to take in response to the account takeover action. Valid values areblock,MFA_IF_CONFIGURED,MFA_REQUIREDandNO_ACTION.notify- (Required) Whether to send a notification.
compromisedCredentialsRiskConfiguration
eventFilter- (Optional) Perform the action for these events. The default is to perform all events if no event filter is specified. Valid values areSIGN_IN,PASSWORD_CHANGE, andSIGN_UP.actions- (Required) The compromised credentials risk configuration actions. See details below.
actions
eventAction- (Optional) The event action. Valid values areblockorNO_ACTION.
riskExceptionConfiguration
blockedIpRangeList- (Optional) Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix. Can contain a maximum of 200 items.skippedIpRangeList- (Optional) Risk detection isn't performed on the IP addresses in this range list. The IP range is in CIDR notation. Can contain a maximum of 200 items.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id- The user pool ID. or The user pool ID and Client Id separated by a:if the configuration is client specific.
Import
Cognito Risk Configurations can be imported using the id, e.g.,