Actionist·AWS Cognito

AWS Cognito

· #339 most-used

Add user authentication and access control to any app in minutes

HRDeveloperSecurityAutomationCloud & Infrastructure

AWS Cognito is Amazon's fully managed identity service — it handles user sign-up, sign-in, MFA, and federated access (social logins, SAML, OIDC enterprise providers) so engineering teams never have to build auth from scratch. Connect it to Actionist and your agents can create and manage user accounts, organise users into groups with role-based permissions, query user pools for support and compliance lookups, and react to identity events — all without touching the AWS console.

Try AWS Cognito with ActionistVisit AWS Cognito
Average time saved
7 hours
per person · per month
≈ 1 workdays back

Eliminates manual work. Agents eliminate the manual cycle of raising IT tickets for account provisioning, offboarding, password resets, and payment suspension — identity operations that previously waited hours or days complete in under a minute.

Schedule

What your AWS Cognito agent runs on autopilot

A week of scheduled jobs your Actionist agent will execute on your behalf.

28Scheduled jobs
7Agents at work
24/7Always on
Agents
TueThu
Tue
Wed
Thu
7a
8a
9a
10a
11a
12p
1p
2p
3p
4p
5p
6p
Multi-app workflows

AWS Cognito × every other app you use

End-to-end automations that span multiple apps — each one a real business outcome.

6Workflows
8Apps spanned
~19 hrsSaved / week
6Personas served
For hr
Featured4 apps

New hire gets full app access on day one

When a new hire is added to the HRIS, the agent provisions a Cognito account with the correct role group and department attribute, then posts the new starter's login details to Slack and creates an onboarding checklist in Notion for their manager — all before the employee's first morning.

~3 hrs

Time saved for your team — every week, on autopilot

The flow
Trigger·When a new employee record is added to the HRIS
Trigger
Step 1
BambooHR
Detect new employee record in HRIS
write
Step 2
AWS Cognito
Create User with work email and department attribute
write
Step 3
AWS Cognito
Add User to Group based on job title role mapping
write
Step 4
Slack
Post welcome message to #new-starters with their login details
write
Step 5
Notion
Create onboarding task checklist for the employee's manager
Result
Create User with work email and department attributeAdd User to Group based on job title role mappingPost welcome message to #new-starters with their login detailsCreate onboarding task checklist for the employee's manager
The win
Saved per run
40 min
Runs / week
~5×
New employees log in on day one without any IT ticket
Driven byHuman Resources Agent
ROI

Savings

What your team gets back — two angles: what you stop doing manually, and what that's worth.

Without Actionist

What you do manually today

With Actionist

What your agent runs for you

  • Sales
    25 min / week
    Manual account provisioning after deal close

    After a deal is marked Won, the sales rep raises an IT ticket to provision the customer's Cognito account. The customer waits 1–2 business days before they can log in.

    Sales Agent
    0 min
    Agent provisions access within minutes of deal close

    When a deal is marked Won in the CRM, the Sales Agent creates the Cognito user, sets the plan tier attribute, and adds them to the correct subscription group — the customer receives their welcome email before the sales rep finishes the post-call notes.

  • Marketing
    15 min / week
    Manual beta group setup for each launch cohort

    For every beta launch, an engineer manually creates the Cognito group, gets the list from the product manager, and adds users one by one in the AWS console — typically 2–4 hours per cohort.

    Marketing Agent
    0 min
    Agent creates the group and adds all users when a cohort is approved

    When a beta cohort is approved in Notion, the Marketing Agent creates the Cognito group and adds every approved user in the same scheduled agent task — beta testers have access within minutes, no engineer required.

  • Customer Support
    30 min / week
    Support reps log into AWS console to reset passwords

    When a customer is locked out, the support rep opens the AWS console, searches for the user, and triggers a password reset manually — each case takes 5–10 minutes and requires AWS IAM access.

    Customer Support Agent
    0 min
    Agent resets the password within a minute of ticket creation

    The Support Agent detects the locked-out ticket keyword, calls Reset User Password in Cognito, and sends the customer an automated reply — the customer receives their reset code before the rep has read the ticket.

  • Human Resources
    40 min / week
    IT ticket for every hire, transfer, and departure

    HR submits an IT ticket for each new hire, department transfer, and offboarding. IT processes them in batches, typically 1–3 days after the HR event, leaving windows where access is wrong.

    Human Resources Agent
    0 min
    Agent syncs identity changes the day they happen in the HRIS

    New hires get Cognito accounts on their start date. Transfers get attributes and group memberships updated the same day the HRIS changes. Departures are suspended by end of their last working day — all without an IT ticket.

  • Finance
    20 min / week
    Manual account suspension after payment failures

    Finance identifies payment failures in Stripe and emails IT to suspend the Cognito account — typically a 24-hour gap during which a defaulting customer retains full access.

    Finance Agent
    0 min
    Agent suspends access within a minute of payment failure

    When Stripe records a payment failure, the Finance Agent disables the Cognito account within about a minute and creates a collections follow-up task — access is restored automatically the moment payment clears.

  • Operations
    35 min / week
    Quarterly manual access audit by engineering

    Every quarter an engineer spends half a day listing Cognito groups and their members in the AWS console, comparing against a spreadsheet, and chasing down discrepancies via Slack.

    Operations Agent
    0 min
    Agent runs the access audit weekly and alerts on discrepancies

    The Operations Agent runs a full Cognito group and member audit every Wednesday, compares against the approved register, and Slacks any deviation immediately — what used to be a quarterly effort now happens weekly and automatically.

  • Legal
    20 min / week
    GDPR erasure takes 2–3 business days via IT

    Legal receives an erasure request, emails IT with the user's details, IT locates and deletes the Cognito account, and manually reports back to legal — the whole cycle averages 2–3 business days.

    Legal Agent
    0 min
    Agent fulfils erasure requests in under two minutes with an audit trail

    When an erasure request is approved, the Legal Agent finds and deletes the Cognito account, writes a deletion certificate to the compliance log, and notifies the legal team in Slack — all within about two minutes of approval.

+ 100s of other AWS Cognito automations
Average time saved
19 hrs / person / month
Calculator

Calculate what your team saves

Team size
5 people
Hourly rate
$75 / hr
Hours saved / week
9
Hours saved / year
450
Annual ROI
$33,750

Based on AWS Cognito's typical team usage — the visible tasks plus a few other automations the agent runs: ~1.8 hrs / person / week of admin work automated.

Connect

How to plug AWS Cognito into Actionist

Pick the connection method that suits your environment.

Connect Actionist to AWS Cognito using an IAM user's Access Key ID and Secret Access Key scoped to Cognito permissions. This is the standard programmatic access method for AWS services.

1
Create an IAM user for Actionist

In the AWS IAM console, create a new user (e.g. actionist-cognito-agent). Attach a policy granting cognito-idp:* on the specific User Pool ARN you want Actionist to manage. Do not use your root account credentials.

2
Generate Access Keys

Under the IAM user → Security credentials, click Create access key. Choose 'Application running outside AWS'. Copy the Access Key ID and Secret Access Key — you cannot retrieve the secret again after leaving this screen.

3
Enter credentials in Actionist

Paste the Access Key ID, Secret Access Key, and your AWS region into the fields below. Actionist runs a read-only ListUserPools call to verify the connection before any actions execute.

Credentials you'll need
AWS Region*
The AWS region where your User Pool lives, e.g. us-east-1
Access Key ID*
IAM user Access Key ID with cognito-idp:* permissions
Secret Access Key*
Corresponding Secret Access Key — store this in a secrets manager
Actions

15 actions your agent can call

Read and write operations available to your Actionist agent.

Triggers

0 events your agent can react to

Events your agent watches for, and the actions it kicks off in response.

This app has no triggers yet.
FAQs

Questions about AWS Cognito + Actionist

How does Actionist connect to AWS Cognito?
Go to the Apps tab, find AWS Cognito, and click Connect. You will need an AWS IAM Access Key ID and Secret Access Key from a user with cognito-idp:* permissions on your User Pool, plus the AWS region (e.g. us-east-1). Actionist runs a read-only ListUserPools call to verify the connection before any actions execute. We recommend creating a dedicated IAM user for Actionist scoped to only the User Pool ARN you want the agent to manage — do not use your root account credentials.
Which IAM permissions does Actionist need for AWS Cognito?
The minimum required permissions are: cognito-idp:AdminCreateUser, cognito-idp:AdminDeleteUser, cognito-idp:AdminGetUser, cognito-idp:AdminUpdateUserAttributes, cognito-idp:AdminDisableUser, cognito-idp:AdminEnableUser, cognito-idp:AdminResetUserPassword, cognito-idp:AdminAddUserToGroup, cognito-idp:AdminRemoveUserFromGroup, cognito-idp:ListUsers, cognito-idp:CreateGroup, cognito-idp:DeleteGroup, cognito-idp:GetGroup, cognito-idp:ListGroups, and cognito-idp:DescribeUserPool. Scope all of these to the specific User Pool ARN — do not grant account-wide cognito-idp:* unless you intentionally want the agent to access all pools.
Can Actionist manage multiple Cognito User Pools?
Yes — you can connect multiple Cognito credentials in Actionist, one per User Pool (or per AWS account/region if your pools span regions). Each connection is named and selected individually in the agent's action configuration. This is useful if you have separate User Pools for production, staging, and EU-residency customers and want the agent to operate on each independently.
Does Actionist support Cognito custom attributes?
Yes. The Update User action and the Create User action both support setting custom attributes defined in your User Pool schema (e.g. custom:plan_tier, custom:department, custom:trial_expiry). Pass the attribute name exactly as it appears in the User Pool schema, including the custom: prefix. Actionist does not create new schema attributes — those must be defined in the User Pool schema before the agent tries to set them.
Can Actionist trigger workflows when a user signs up or signs in to Cognito?
Not directly — Cognito does not expose a webhook-style event stream that Actionist polls. Real-time sign-up and sign-in events are best handled through AWS Lambda triggers configured in the Cognito User Pool console (Pre sign-up, Post confirmation, Pre token generation, etc.). Actionist's value with Cognito is in the administrative API — managing users, groups, attributes, and passwords at scale from agent scheduled tasks rather than reacting to auth-flow events.
How does Actionist handle GDPR right-to-erasure requests for Cognito users?
The Legal Agent uses the Get User action to confirm the account exists and to log the user's attributes as a pre-deletion record, then calls Delete User to permanently remove the account from the Cognito User Pool. The deletion timestamp and operator details are written to a compliance audit log (e.g. a Google Sheet or Notion database) in the same agent task. The agent does not delete data from other connected systems automatically — GDPR fulfilment across your full data estate requires combining Actionist's Cognito action with equivalent delete actions in each other connected app.
What is the difference between Disable User and Delete User in Actionist?
Disable User (AdminDisableUser) suspends the account — the user cannot sign in and their existing tokens are invalidated, but the account record, all attributes, and group memberships are preserved. Enable User reverses this instantly. Delete User (AdminDeleteUser) permanently removes the account from the User Pool and cannot be undone. Use Disable User for temporary suspensions (payment failures, investigations, notice periods) and Delete User only when permanent removal is required (GDPR erasure, post-retention-window cleanup). Actionist does not automatically delete disabled accounts — that requires a separate scheduled agent task.
Can Actionist work with Cognito Identity Pools as well as User Pools?
Actionist's current Cognito integration targets the User Pool administrative API (cognito-idp) — user management, group management, and password operations. Cognito Identity Pool operations (federated identity, STS credential vending) are not currently covered by Actionist actions. If you need to manage IAM-level temporary credentials or cross-account federated access, those operations are handled outside Cognito's user directory and are not part of this integration.