title | platform |
---|---|
About the aws_cognito_userpool Resource |
aws |
Use the aws_cognito_userpool
InSpec audit resource to test properties of a single specific Cognito user pool.
Ensure that an user pool ID exists.
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
it { should exist }
end
user_pool_id
(required)
The ID of the user pool.
For additional information, see the AWS documentation on Cognito user pool.
Property | Description |
---|---|
user_pool_id | The user pool ID. |
client_name | The client name of the user pool. |
client_id | The client ID of the user pool. |
client_secret | The client secret of the user pool. |
last_modified_date | The last modified date of the user pool. |
creation_date | The creation date of the user pool. |
refresh_token_validity | The refresh token validity of the user pool. |
access_token_validity | The access token validity of the user pool. |
id_token_validity | The ID token validity of the user pool. |
token_validity_units (access_token) | The access token in the token validity units of the user pool. |
token_validity_units (id_token) | The ID token in the token validity units of the user pool. |
token_validity_units (refresh_token) | The refresh token in the token validity units of the user pool. |
read_attributes | The read attributes of the user pool. |
write_attributes | The write attributes of the user pool. |
explicit_auth_flows | The explicit auth flows of the user pool. |
supported_identity_providers | The supported identity providers of the user pool. |
callback_urls | The callback URLs of the user pool. |
logout_urls | The logout urls of the user pool. |
default_redirect_uri | The default redirect URI of the user pool. |
allowed_o_auth_flows | The allowed_o_auth_flows of the user pool. |
allowed_o_auth_scopes | The allowed_o_auth_scopes of the user pool. |
allowed_o_auth_flows_user_pool_client | The allowed_o_auth_flows_user_pool_client of the user pool. |
analytics_configuration (application_id) | The application ID of the analytics configuration of the user pool. |
analytics_configuration (application_arn) | The application ARN of the analytics configuration of the user pool. |
analytics_configuration (role_arn) | The role ARN of the analytics configuration of the user pool. |
analytics_configuration (external_id) | The external ID of the analytics configuration of the user pool. |
analytics_configuration (user_data_shared) | The user data shared of the analytics configuration of the user pool. |
prevent_user_existence_errors | The prevent user existence errors of the user pool. |
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
its('user_pool_id') { should eq 'USER_POOL_ID' }
end
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
its('client_name') { should eq 'CLIENT_NAME' }
end
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the describe
method returns at least one result.
Use should
to test that the entity exists.
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
it { should_not exist }
end
Use should
to check if the client name is available.
describe aws_cognito_userpool(user_pool_id: 'USER_POOL_ID') do
it { should be_available }
end
Your Principal will need the CognitoIdentityProvider:Client:DescribeUserPoolResponse
action with Effect
set to Allow
.