aws/cloudformation-templates/base/authentication.yaml

---
AWSTemplateFormatVersion: 2010-09-09

Description: >
  This template deploys the Retail Demo Store Cognito Configuration.
Parameters:
  AuthName:
    Type: String
    Description: Unique Auth Name for Cognito Resources

  PinpointAppId:
    Type: String
    Description: Pinpoint project/application ID

Resources:
  # Creates a role that allows Cognito to send SNS messages
  SNSRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "cognito-idp.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Policies:
        - PolicyName: "CognitoSNSPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action: "sns:publish"
                Resource: "*"

  # Creates a user pool in cognito for your app to auth against
  # This example requires MFA and validates the phone number to use as MFA
  # Other fields can be added to the schema
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      MfaConfiguration: "OFF"
      AutoVerifiedAttributes:
        - email
      Schema:
        - Name: email
          AttributeDataType: String
          Mutable: false
          Required: true
        - Name: profile_user_id
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_email
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_first_name
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_last_name
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_gender
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_age
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'
        - Name: profile_persona
          AttributeDataType: String
          Mutable: true
          StringAttributeConstraints:
            MinLength: '1'
            MaxLength: '200'

  # Creates a User Pool Client to be used by the identity pool
  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: !Sub ${AuthName}-client
      GenerateSecret: false
      UserPoolId: !Ref UserPool

  # Creates a federeated Identity pool
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !Sub ${AuthName}Identity
      AllowUnauthenticatedIdentities: true
      CognitoIdentityProviders:
        - ClientId: !Ref UserPoolClient
          ProviderName: !GetAtt UserPool.ProviderName

  # Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
  CognitoUnAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: "CognitoUnauthorizedPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - mobiletargeting:UpdateEndpoint
                  - mobiletargeting:PutEvents
                Resource:
                  - !Sub "arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${PinpointAppId}/*"
              - Effect: "Allow"
                Action:
                  - "mobileanalytics:PutEvents"
                  - "personalize:PutEvents"
                Resource: "*"
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                Resource:
                  - !Sub "arn:aws:cognito-sync:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}"
              - Effect: "Allow"
                Action:
                  - "lex:PostText"
                Resource:
                  - !Sub "arn:aws:lex:${AWS::Region}:${AWS::AccountId}:bot:RetailDemoStore:*"

  # Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
  # Only allows users in the previously created Identity Pool
  CognitoAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - mobiletargeting:UpdateEndpoint
                  - mobiletargeting:PutEvents
                Resource:
                  - !Sub "arn:aws:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${PinpointAppId}/*"
              - Effect: "Allow"
                Action:
                  - "mobileanalytics:PutEvents"
                  - "personalize:PutEvents"
                Resource: "*"
              - Effect: "Allow"
                Action:
                  - "cognito-identity:*"
                Resource:
                  - !Sub "arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}"
              - Effect: "Allow"
                Action:
                  - "cognito-sync:*"
                Resource:
                  - !Sub "arn:aws:cognito-sync:${AWS::Region}:${AWS::AccountId}:identitypool/${IdentityPool}"
              - Effect: "Allow"
                Action:
                  - "lex:PostText"
                Resource:
                  - !Sub "arn:aws:lex:${AWS::Region}:${AWS::AccountId}:bot:RetailDemoStore:*"

  # Assigns the roles to the Identity Pool
  IdentityPoolRoleMapping:
    Type: "AWS::Cognito::IdentityPoolRoleAttachment"
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn
        unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn

Outputs:
  UserPoolId:
    Description: User Pool Id
    Value: !Ref UserPool
  UserPoolClientId:
    Description: User Pool Client Id
    Value: !Ref UserPoolClient
  IdentityPoolId:
    Description: Identity Pool Id
    Value: !Ref IdentityPool