AWS cognito documentation change
Summary
Added two CLI examples: server-side filtering by email prefix and client-side filtering via JMESPath query
Security assessment
Change demonstrates user search techniques but does not address security vulnerabilities or document security features. Filtering examples are operational improvements rather than security-focused updates.
Diff
diff --git a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md index 4c8cca571..7549ac72f 100644 --- a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md +++ b/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md @@ -64 +64 @@ CLI -**To list users** +**Example 1: To list users with a server-side filter** @@ -66 +66 @@ CLI -This example lists up to 20 users. +The following `list-users` example lists 3 users in the requested user pool whose email addresses begin with `testuser`. @@ -68 +67,0 @@ This example lists up to 20 users. -Command: @@ -70,2 +69,4 @@ Command: - - aws cognito-idp list-users --user-pool-id us-west-2_aaaaaaaaa --limit 20 + aws cognito-idp list-users \ + --user-pool-id us-west-2_EXAMPLE \ + --filter email^=\"testuser\" \ + --max-items 3 @@ -77,0 +79 @@ Output: + "PaginationToken": "efgh5678EXAMPLE", @@ -80 +82,10 @@ Output: - "Username": "22704aa3-fc10-479a-97eb-2af5806bd327", + "Attributes": [ + { + "Name": "sub", + "Value": "eaad0219-2117-439f-8d46-4db20e59268f" + }, + { + "Name": "email", + "Value": "[email protected]" + } + ], @@ -82,3 +93,6 @@ Output: - "UserStatus": "FORCE_CHANGE_PASSWORD", - "UserCreateDate": 1548089817.683, - "UserLastModifiedDate": 1548089817.683, + "UserCreateDate": 1682955829.578, + "UserLastModifiedDate": 1689030181.63, + "UserStatus": "CONFIRMED", + "Username": "testuser" + }, + { @@ -88 +102 @@ Output: - "Value": "22704aa3-fc10-479a-97eb-2af5806bd327" + "Value": "3b994cfd-0b07-4581-be46-3c82f9a70c90" @@ -91,2 +105,15 @@ Output: - "Name": "email_verified", - "Value": "true" + "Name": "email", + "Value": "[email protected]" + } + ], + "Enabled": true, + "UserCreateDate": 1684427979.201, + "UserLastModifiedDate": 1684427979.201, + "UserStatus": "UNCONFIRMED", + "Username": "testuser2" + }, + { + "Attributes": [ + { + "Name": "sub", + "Value": "5929e0d1-4c34-42d1-9b79-a5ecacfe66f7" @@ -96 +123 @@ Output: - "Value": "[email protected]" + "Value": "[email protected]" @@ -98 +125,6 @@ Output: - ] + ], + "Enabled": true, + "UserCreateDate": 1684427823.641, + "UserLastModifiedDate": 1684427823.641, + "UserStatus": "UNCONFIRMED", + "Username": "[email protected]" @@ -102,0 +135,34 @@ Output: +For more information, see [Managing and searching for users](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html) in the _Amazon Cognito Developer Guide_. + +**Example 2: To list users with a client-side filter** + +The following `list-users` example lists the attributes of three users who have an attribute, in this case their email address, that contains the email domain "@example.com". If other attributes contained this string, they would also be displayed. The second user has no attributes that match the query and is excluded from the displayed output, but not from the server response. + + + aws cognito-idp list-users \ + --user-pool-id us-west-2_EXAMPLE \ + --max-items 3 + --query Users\[\*\].Attributes\[\?Value\.contains\(\@\,\'@example.com\'\)\] + + +Output: + + + [ + [ + { + "Name": "email", + "Value": "[email protected]" + } + ], + [], + [ + { + "Name": "email", + "Value": "[email protected]" + } + ] + ] + +For more information, see [Managing and searching for users](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html) in the _Amazon Cognito Developer Guide_. +