Skip to content

AWS Cognito

FeatureSupport
User management✅ Full
Organizations❌ Not supported
Audit logs❌ Not supported (use AWS CloudTrail externally)
  1. Create a Cognito User Pool

    In the AWS Console: Amazon Cognito → Create user pool.

    Note the User pool ID (e.g. us-east-1_xxxxxxxxx) and the Region.

  2. Create an IAM user for AUMS

    In the IAM Console: Users → Create user. Give it a name like aums-management.

    Attach the following inline policy:

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "cognito-idp:ListUsers",
    "cognito-idp:AdminGetUser",
    "cognito-idp:AdminCreateUser",
    "cognito-idp:AdminUpdateUserAttributes",
    "cognito-idp:AdminDeleteUser",
    "cognito-idp:AdminDisableUser",
    "cognito-idp:AdminEnableUser",
    "cognito-idp:AdminResetUserPassword",
    "cognito-idp:AdminSetUserPassword",
    "cognito-idp:AdminListGroupsForUser",
    "cognito-idp:ListUsersInGroup"
    ],
    "Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
    }
    ]
    }

    Replace REGION, ACCOUNT_ID, and USER_POOL_ID with your values.

  3. Create access keys

    For the IAM user: Security credentials → Create access key. Choose Other as the use case.

    Copy the Access key ID and Secret access key.

  4. Set environment variables

    Terminal window
    PROVIDER=cognito
    COGNITO_REGION=us-east-1
    COGNITO_USER_POOL_ID=us-east-1_xxxxxxxxx
    AWS_ACCESS_KEY_ID=your-access-key-id
    AWS_SECRET_ACCESS_KEY=your-secret-access-key

AUMS does not surface Cognito audit events. To monitor user activity, enable AWS CloudTrail in your account and filter for cognito-idp.amazonaws.com events.