Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more

Choose your framework/language

Edit on GitHub

Page updated May 3, 2024

User groups

Amplify Auth provides a mechanism that allows you to group users. Assigning users to groups enable you to customize access for a collection of users, or leverage for auditing purposes. For example, only "ADMINS" users are permitted to delete posts from a bulletin, or only "EDITORS" are permitted to modify posts in a "draft" state. To get started with groups, configure the groups property:

amplify/auth/resource.ts
import { defineAuth } from "@aws-amplify/backend"


export const auth = defineAuth({
  loginWith: {
    email: true,
  },
  groups: ["ADMINS", "EDITORS"],
})

Note: There are a few limitations with groups, including a limit of 10,000 groups per user pool.

Defining access

Amplify resources enable you to define access for groups using common language. For example, you can use allow.groups in data:

amplify/data/resource.ts
import { type ClientSchema, a, defineData } from "@aws-amplify/backend"


const schema = a.schema({
  Article: a.model({}).authorization(allow => [
    allow.groups(["EDITORS"]).to(["read", "update"])
  ])
})


// ...

Or in storage:

amplify/storage/articles/resource.ts
import { defineStorage } from "@aws-amplify/backend"


export const storage = defineStorage({
  name: "articles",
  access: (allow) => ({
    "drafts/*": [allow.groups(["EDITORS"]).to(["read", "write"])],
  }),
})

By defining access with groups, Amplify configures authorization rules to read from the current user's groups. User pool groups are available as a claim in the user's ID token and access token as cognito:groups. Requests can be made to secure resources using the access token and validated against this claim to permit action on the resource.

Group roles

Each Cognito user pool group is assigned an IAM role. IAM roles can be modified to extend access to other AWS resources. Roles can be accessed from your backend on the role property of your group:

amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';


/**
 * @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
 */
const backend = defineBackend({
  auth,
  data,
});


const { groups } = backend.auth.resources


// https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.IRole.html
groups["ADMINS"].role

Next steps

PREVIOUS
User attributes
NEXT
Multi-factor authentication
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.