I've attached "AmazonCognitoPowerUser" policy with permissions below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"iam:GetRole",
"iam:ListSAMLProviders",
"iam:GetSAMLProvider",
"kinesis:ListStreams",
"lambda:GetPolicy",
"lambda:ListFunctions",
"sns:GetSMSSandboxAccountStatus",
"sns:ListPlatformApplications",
"ses:ListIdentities",
"ses:GetIdentityVerificationAttributes",
"mobiletargeting:GetApps",
"acm:ListCertificates"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"cognito-idp.amazonaws.com",
"email.cognito-idp.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp*",
"arn:aws:iam::*:role/aws-service-role/email.cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdpEmail*"
]
}
]
}
User can create a User Pool with MRA Required if it's TOTP only. They cannot create it with SMS MFA, nor can they add SMS MFA afterwards. The error says doesn't have permission but I thought this policy should already allow users to manage Cognito. What permissions are we missing?
I'm thinking it's because SMS MFA requires a Role but they're already able to "Create Role" during the step of the User Pool creation process. It's when they save the user pool that it fails.
You must request an increased spend limit from Amazon SNS. The default spend limit per account (if not specified) is 1.00 USD per month. If you want to raise the limit, submit an SNS Limit Increase case in the AWS Support Center.