--- AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys the Retail Demo Store Cognito Configuration. Parameters: AuthName: Type: String Description: Unique Auth Name for Cognito Resources PinpointAppId: Type: String Description: Pinpoint project/application ID LocationResourcePrefix: Type: String Description: Prefix of Location Services resources to use Resources: # Creates a role that allows Cognito to send SNS messages SNSRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "cognito-idp.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: "CognitoSNSPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "sns:publish" Resource: "*" # Creates a user pool in cognito for your app to auth against # This example requires MFA and validates the phone number to use as MFA # Other fields can be added to the schema UserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: !Sub ${AuthName}-user-pool MfaConfiguration: "OFF" AutoVerifiedAttributes: - email Schema: - Name: email AttributeDataType: String Mutable: false Required: true - Name: profile_user_id AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_email AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_first_name AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_last_name AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_gender AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_age AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: profile_persona AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' - Name: demo_journey AttributeDataType: String Mutable: true StringAttributeConstraints: MinLength: '1' MaxLength: '200' # Creates a User Pool Client to be used by the identity pool UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: ClientName: !Sub ${AuthName}-client GenerateSecret: false UserPoolId: !Ref UserPool # Creates a federeated Identity pool IdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !Sub ${AuthName}Identity AllowUnauthenticatedIdentities: true CognitoIdentityProviders: - ClientId: !Ref UserPoolClient ProviderName: !GetAtt UserPool.ProviderName # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool CognitoUnAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": unauthenticated Policies: - PolicyName: "CognitoUnauthorizedPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - mobiletargeting:UpdateEndpoint - mobiletargeting:PutEvents Resource: - !Sub "arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${PinpointAppId}/*" - Effect: "Allow" Action: - "mobileanalytics:PutEvents" - "personalize:PutEvents" Resource: "*" - Effect: "Allow" Action: - "cognito-sync:*" Resource: - !Sub "arn:aws:cognito-sync:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}" - Effect: "Allow" Action: - "lex:PostText" Resource: - !Sub "arn:aws:lex:${AWS::Region}:${AWS::AccountId}:bot:RetailDemoStore:*" # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation # Only allows users in the previously created Identity Pool CognitoAuthorizedRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Federated: "cognito-identity.amazonaws.com" Action: - "sts:AssumeRoleWithWebIdentity" Condition: StringEquals: "cognito-identity.amazonaws.com:aud": !Ref IdentityPool "ForAnyValue:StringLike": "cognito-identity.amazonaws.com:amr": authenticated Policies: - PolicyName: "CognitoAuthorizedPolicy" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - mobiletargeting:UpdateEndpoint - mobiletargeting:PutEvents Resource: - !Sub "arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${PinpointAppId}/*" - Effect: "Allow" Action: - "mobileanalytics:PutEvents" - "personalize:PutEvents" Resource: "*" - Effect: "Allow" Action: - "cognito-identity:*" Resource: - !Sub "arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}" - Effect: "Allow" Action: - "cognito-sync:*" Resource: - !Sub "arn:aws:cognito-sync:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}" - Effect: "Allow" Action: - "lex:PostText" Resource: - !Sub "arn:aws:lex:${AWS::Region}:${AWS::AccountId}:bot:RetailDemoStore:*" - Effect: Allow Action: - geo:BatchGetDevicePosition - geo:BatchUpdateDevicePosition - geo:DescribeTracker - geo:GetDevicePosition - geo:GetDevicePositionHistory - geo:ListDevicePositions - geo:ListTrackers Resource: - !Sub 'arn:aws:geo:${AWS::Region}:${AWS::AccountId}:tracker/${LocationResourcePrefix}*' - Effect: Allow Action: - geo:ListGeofences - geo:ListGeofenceCollections - geo:GetGeofence - geo:DescribeGeofenceCollection Resource: - !Sub "arn:aws:geo:${AWS::Region}:${AWS::AccountId}:geofence-collection/${LocationResourcePrefix}*" - Effect: Allow Action: - geo:GetMapGlyphs - geo:GetMapSprites - geo:GetMapStyleDescriptor - geo:GetMapTile - geo:DescribeMap - geo:ListMaps Resource: - !Sub "arn:aws:geo:${AWS::Region}:${AWS::AccountId}:map/${LocationResourcePrefix}*" # Assigns the roles to the Identity Pool IdentityPoolRoleMapping: Type: "AWS::Cognito::IdentityPoolRoleAttachment" Properties: IdentityPoolId: !Ref IdentityPool Roles: authenticated: !GetAtt CognitoAuthorizedRole.Arn unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn Outputs: UserPoolId: Description: User Pool Id Value: !Ref UserPool UserPoolClientId: Description: User Pool Client Id Value: !Ref UserPoolClient IdentityPoolId: Description: Identity Pool Id Value: !Ref IdentityPool