Reputation: 878
What permissions are required to create Cognito User Pool with SMS MFA?
I've attached "AmazonCognitoPowerUser" policy with permissions below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetSAMLProvider",
"kinesis:ListStreams",
"lambda:GetPolicy",
"lambda:ListFunctions",
"sns:GetSMSSandboxAccountStatus",
"sns:ListPlatformApplications",
"ses:ListIdentities",
"ses:GetIdentityVerificationAttributes",
"mobiletargeting:GetApps",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"cognito-idp.amazonaws.com",
"email.cognito-idp.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*",
"arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*"
]
}
]
}
User can create a User Pool with MRA Required if it's TOTP only. They cannot create it with SMS MFA, nor can they add SMS MFA afterwards. The error says doesn't have permission but I thought this policy should already allow users to manage Cognito. What permissions are we missing?
I'm thinking it's because SMS MFA requires a Role but they're already able to "Create Role" during the step of the User Pool creation process. It's when they save the user pool that it fails.
Upvotes: 0
Views: 2133
Answers (2)
Reputation: 329
You must request an increased spend limit from Amazon SNS. The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center.
Upvotes: 1
Reputation: 1036
It's unlikely to be a permissions problem.
I had opted not to use the SMS feature just because of one big first step.
To ensure that SMS messages are sent to verify phone numbers and for SMS text message MFA, you must request an increased spend limit from Amazon SNS.
The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center. For New limit value, enter your desired monthly spend limit. In the Use Case Description field, explain that you're requesting an SMS monthly spend limit increase.
We need to apply for the spending increase for the SNS service which is via an AWS Support Center ticket/case (not available via console).
Support ticket takes weeks to resolve and can be quite irritating, as there are many to and fro communications.
This may not be a complete solution to your problem but as this important question was not active, some discussion may help to push this a bit. I am also trying to set SMS MFA up, surely will take time. Will update this answer when done.
Upvotes: 0
Related Questions
- Cognito User Pools & Access Tokens
- AWS Cognito - Enabling MFA | Error: MFA cannot be turned off if an SMS role is configured
- Specifying User Access Control with Amazon Cognito
- Error trying to enable SMS MFA factor in AWS Cognito
- Creating an IAM service role to allow Amazon Cognito to send SMS messages for MFA
- AWS Cognito User Pool without a password
- AWS Cognito SMS Role : Cannot create or assign a new role
- Additional authorization logic for Cognito User Pools User
- User Pool with Cognito using IAM Users
- How can i authenticate to my Identity/User Pool with Cognito Identity?