2026/06/18 - Amazon Cognito Identity Provider - 3 updated api methods
Changes In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS.
{'CustomDomainConfig': {'SecurityPolicy': 'TLS_V1 | TLS_V1_2_2021 | '
'TLS_V1_3_2025'}}
A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation creates a new user pool prefix domain or custom domain and sets the managed login branding version. Set the branding version to 1 for hosted UI (classic) or 2 for managed login. When you choose a custom domain, you must provide an SSL certificate in the US East (N. Virginia) Amazon Web Services Region in your request.
Your prefix domain might take up to one minute to take effect. Your custom domain is online within five minutes, but it can take up to one hour to distribute your SSL certificate.
For more information about adding a custom domain to your user pool, see Configuring a user pool domain.
See also: AWS API Documentation
Request Syntax
client.create_user_pool_domain(
Domain='string',
UserPoolId='string',
ManagedLoginVersion=123,
CustomDomainConfig={
'CertificateArn': 'string',
'SecurityPolicy': 'TLS_V1'|'TLS_V1_2_2021'|'TLS_V1_3_2025'
},
Routing={
'Failover': {
'SecondaryRegion': 'string',
'PrimaryRoute53HealthCheckId': 'string'
}
}
)
string
[REQUIRED]
The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For prefix domains, this is the prefix alone, such as myprefix. A prefix value of myprefix for a user pool in the us-east-1 Region results in a domain of myprefix.auth.us-east-1.amazoncognito.com.
string
[REQUIRED]
The ID of the user pool where you want to add a domain.
integer
The version of managed login branding that you want to apply to your domain. A value of 1 indicates hosted UI (classic) and a version of 2 indicates managed login.
Managed login requires that your user pool be configured for any feature plan other than Lite.
dict
The configuration for a custom domain. Configures your domain with an Certificate Manager certificate in the us-east-1 Region.
Provide this parameter only if you want to use a custom domain for your user pool. Otherwise, you can omit this parameter and use a prefix domain instead.
When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
CertificateArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of an Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
SecurityPolicy (string) --
The security policy for the custom domain. Defines the minimum TLS version and cipher suites that CloudFront uses when communicating with viewers (clients). Valid values are as follows:
TLS_V1: Supports TLS 1.0 and later. Provides the broadest client compatibility.
TLS_V1_2_2021: Supports TLS 1.2 and later with 2021 cipher suites. Recommended minimum for most use cases.
TLS_V1_3_2025: Supports TLS 1.3 and later with 2025 cipher suites. Provides the strongest security posture.
dict
The configuration of routing for requests to the domain for replicas of a replicated user pool. The routing configuration is currently only supported for custom domains.
Failover (dict) --
The failover configuration that specifies the secondary region and health check settings.
SecondaryRegion (string) -- [REQUIRED]
The secondary Amazon Web Services Region to use for failover when the primary region becomes unavailable.
PrimaryRoute53HealthCheckId (string) -- [REQUIRED]
The ID of the Amazon Web Services Route53 healthcheck that controls routing. If the healthcheck is healthy, traffic will be routed to the primary replica, and if the healthcheck is unhealthy, traffic will be routed to the secondary region.
dict
Response Syntax
{
'ManagedLoginVersion': 123,
'CloudFrontDomain': 'string',
'Routing': {
'Failover': {
'SecondaryRegion': 'string',
'PrimaryRoute53HealthCheckId': 'string'
}
}
}
Response Structure
(dict) --
ManagedLoginVersion (integer) --
The version of managed login branding applied your domain. A value of 1 indicates hosted UI (classic) and a version of 2 indicates managed login.
CloudFrontDomain (string) --
The fully-qualified domain name (FQDN) of the Amazon CloudFront distribution that hosts your managed login or classic hosted UI pages. Your domain-name authority must have an alias record that points requests for your custom domain to this FQDN. Amazon Cognito returns this value if you set a custom domain with CustomDomainConfig. If you set an Amazon Cognito prefix domain, this parameter returns null.
Routing (dict) --
The routing configuration that was applied to the user pool domain.
Failover (dict) --
The failover configuration that specifies the secondary region and health check settings.
SecondaryRegion (string) --
The secondary Amazon Web Services Region to use for failover when the primary region becomes unavailable.
PrimaryRoute53HealthCheckId (string) --
The ID of the Amazon Web Services Route53 healthcheck that controls routing. If the healthcheck is healthy, traffic will be routed to the primary replica, and if the healthcheck is unhealthy, traffic will be routed to the secondary region.
{'DomainDescription': {'CustomDomainConfig': {'SecurityPolicy': 'TLS_V1 | '
'TLS_V1_2_2021 '
'| '
'TLS_V1_3_2025'}}}
Given a user pool domain name, returns information about the domain configuration.
See also: AWS API Documentation
Request Syntax
client.describe_user_pool_domain(
Domain='string'
)
string
[REQUIRED]
The domain that you want to describe. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
dict
Response Syntax
{
'DomainDescription': {
'UserPoolId': 'string',
'AWSAccountId': 'string',
'Domain': 'string',
'S3Bucket': 'string',
'CloudFrontDistribution': 'string',
'Version': 'string',
'Status': 'CREATING'|'DELETING'|'UPDATING'|'ACTIVE'|'FAILED',
'CustomDomainConfig': {
'CertificateArn': 'string',
'SecurityPolicy': 'TLS_V1'|'TLS_V1_2_2021'|'TLS_V1_3_2025'
},
'ManagedLoginVersion': 123,
'Routing': {
'Failover': {
'SecondaryRegion': 'string',
'PrimaryRoute53HealthCheckId': 'string'
}
}
}
}
Response Structure
(dict) --
DomainDescription (dict) --
The details of the requested user pool domain.
UserPoolId (string) --
The ID of the user pool that the domain is attached to.
AWSAccountId (string) --
The Amazon Web Services account that you created the user pool in.
Domain (string) --
The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
S3Bucket (string) --
The Amazon S3 bucket where the static files for this domain are stored.
CloudFrontDistribution (string) --
The Amazon CloudFront endpoint that hosts your custom domain.
Version (string) --
The app version.
Status (string) --
The domain status.
CustomDomainConfig (dict) --
The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.
CertificateArn (string) --
The Amazon Resource Name (ARN) of an Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
SecurityPolicy (string) --
The security policy for the custom domain. Defines the minimum TLS version and cipher suites that CloudFront uses when communicating with viewers (clients). Valid values are as follows:
TLS_V1: Supports TLS 1.0 and later. Provides the broadest client compatibility.
TLS_V1_2_2021: Supports TLS 1.2 and later with 2021 cipher suites. Recommended minimum for most use cases.
TLS_V1_3_2025: Supports TLS 1.3 and later with 2025 cipher suites. Provides the strongest security posture.
ManagedLoginVersion (integer) --
The version of managed login branding that you want to apply to your domain. A value of 1 indicates hosted UI (classic) branding and a version of 2 indicates managed login branding.
Managed login requires that your user pool be configured for any feature plan other than Lite.
Routing (dict) --
The routing configuration for the domain, including failover settings for multi-region deployments. Currently only Failover configurations are allowed.
Failover (dict) --
The failover configuration that specifies the secondary region and health check settings.
SecondaryRegion (string) --
The secondary Amazon Web Services Region to use for failover when the primary region becomes unavailable.
PrimaryRoute53HealthCheckId (string) --
The ID of the Amazon Web Services Route53 healthcheck that controls routing. If the healthcheck is healthy, traffic will be routed to the primary replica, and if the healthcheck is unhealthy, traffic will be routed to the secondary region.
{'CustomDomainConfig': {'SecurityPolicy': 'TLS_V1 | TLS_V1_2_2021 | '
'TLS_V1_3_2025'}}
A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation updates the branding version for user pool domains between 1 for hosted UI (classic) and 2 for managed login. It also updates the SSL certificate for user pool custom domains.
Changes to the domain branding version take up to one minute to take effect for a prefix domain and up to five minutes for a custom domain.
This operation doesn't change the name of your user pool domain. To change your domain, delete it with DeleteUserPoolDomain and create a new domain with CreateUserPoolDomain.
You can pass the ARN of a new Certificate Manager certificate in this request. Typically, ACM certificates automatically renew and you user pool can continue to use the same ARN. But if you generate a new certificate for your custom domain name, replace the original configuration with the new ARN in this request.
ACM certificates for custom domains must be in the US East (N. Virginia) Amazon Web Services Region. After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.
For more information about adding a custom domain to your user pool, see Configuring a user pool domain.
See also: AWS API Documentation
Request Syntax
client.update_user_pool_domain(
Domain='string',
UserPoolId='string',
ManagedLoginVersion=123,
CustomDomainConfig={
'CertificateArn': 'string',
'SecurityPolicy': 'TLS_V1'|'TLS_V1_2_2021'|'TLS_V1_3_2025'
},
Routing={
'Failover': {
'SecondaryRegion': 'string',
'PrimaryRoute53HealthCheckId': 'string'
}
}
)
string
[REQUIRED]
The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example auth.example.com. For prefix domains, this is the prefix alone, such as myprefix.
string
[REQUIRED]
The ID of the user pool that is associated with the domain you're updating.
integer
A version number that indicates the state of managed login for your domain. Version 1 is hosted UI (classic). Version 2 is the newer managed login with the branding editor. For more information, see Managed login.
dict
The configuration for a custom domain that hosts managed login for your application. In an UpdateUserPoolDomain request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in us-east-1.
When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
CertificateArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of an Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
SecurityPolicy (string) --
The security policy for the custom domain. Defines the minimum TLS version and cipher suites that CloudFront uses when communicating with viewers (clients). Valid values are as follows:
TLS_V1: Supports TLS 1.0 and later. Provides the broadest client compatibility.
TLS_V1_2_2021: Supports TLS 1.2 and later with 2021 cipher suites. Recommended minimum for most use cases.
TLS_V1_3_2025: Supports TLS 1.3 and later with 2025 cipher suites. Provides the strongest security posture.
dict
The routing configuration for the user pool domain. Specifies failover settings for multi-region deployments.
Failover (dict) --
The failover configuration that specifies the secondary region and health check settings.
SecondaryRegion (string) -- [REQUIRED]
The secondary Amazon Web Services Region to use for failover when the primary region becomes unavailable.
PrimaryRoute53HealthCheckId (string) -- [REQUIRED]
The ID of the Amazon Web Services Route53 healthcheck that controls routing. If the healthcheck is healthy, traffic will be routed to the primary replica, and if the healthcheck is unhealthy, traffic will be routed to the secondary region.
dict
Response Syntax
{
'ManagedLoginVersion': 123,
'CloudFrontDomain': 'string',
'Routing': {
'Failover': {
'SecondaryRegion': 'string',
'PrimaryRoute53HealthCheckId': 'string'
}
}
}
Response Structure
(dict) --
The UpdateUserPoolDomain response output.
ManagedLoginVersion (integer) --
A version number that indicates the state of managed login for your domain. Version 1 is hosted UI (classic). Version 2 is the newer managed login with the branding editor. For more information, see Managed login.
CloudFrontDomain (string) --
The fully-qualified domain name (FQDN) of the Amazon CloudFront distribution that hosts your managed login or classic hosted UI pages. You domain-name authority must have an alias record that points requests for your custom domain to this FQDN. Amazon Cognito returns this value if you set a custom domain with CustomDomainConfig. If you set an Amazon Cognito prefix domain, this operation returns a blank response.
Routing (dict) --
The updated routing configuration for the user pool domain.
Failover (dict) --
The failover configuration that specifies the secondary region and health check settings.
SecondaryRegion (string) --
The secondary Amazon Web Services Region to use for failover when the primary region becomes unavailable.
PrimaryRoute53HealthCheckId (string) --
The ID of the Amazon Web Services Route53 healthcheck that controls routing. If the healthcheck is healthy, traffic will be routed to the primary replica, and if the healthcheck is unhealthy, traffic will be routed to the secondary region.