这是当您创建以用户池作为身份提供者的身份池时，通过aws控制台模拟的默认配置的方法.除了要求的功能外，它还包括其他一些功能(允许未经身份验证的访问并指定密码策略)，但是很容易根据您的需要进行修改.

This is the way I managed to mimic the default configuration created through the aws console when you create an identity pool with a user pool as identity provider. It includes some other features apart from what you have asked (allows unauthenticated access and specify the password policy), but is easy to modify to your needs.

    const userPool = new cognito.UserPool(this, 'MyUserPool', {
        signInType: SignInType.EMAIL,
        autoVerifiedAttributes: [
            UserPoolAttribute.EMAIL
        ]
    });
    const cfnUserPool = userPool.node.defaultChild as cognito.CfnUserPool;
    cfnUserPool.policies = {
        passwordPolicy: {
            minimumLength: 8,
            requireLowercase: false,
            requireNumbers: false,
            requireUppercase: false,
            requireSymbols: false
        }
    };
    const userPoolClient = new cognito.UserPoolClient(this, 'MyUserPoolClient', {
        generateSecret: false,
        userPool: userPool,
        userPoolClientName: 'MyUserPoolClientName'
    });
    const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
        allowUnauthenticatedIdentities: false,
        cognitoIdentityProviders: [{
            clientId: userPoolClient.userPoolClientId,
            providerName: userPool.userPoolProviderName,
        }]
    });
    const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
        assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
            "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
            "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
        }, "sts:AssumeRoleWithWebIdentity"),
    });
    unauthenticatedRole.addToPolicy(new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
            "mobileanalytics:PutEvents",
            "cognito-sync:*"
        ],
        resources: ["*"],
    }));
    const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
        assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
            "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
            "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
        }, "sts:AssumeRoleWithWebIdentity"),
    });
    authenticatedRole.addToPolicy(new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
            "mobileanalytics:PutEvents",
            "cognito-sync:*",
            "cognito-identity:*"
        ],
        resources: ["*"],
    }));
    const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
        identityPoolId: identityPool.ref,
        roles: {
            'unauthenticated': unauthenticatedRole.roleArn,
            'authenticated': authenticatedRole.roleArn
        }
    });

为什么会有UserPool和CfnUserPool?它们之间有什么区别，应该使用哪一个?

Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?

UserPool是资源的高级表示，是首选的工作方式，但尚未实现所有属性. CfnUserPool(任何带Cfn前缀的类)是映射到Cloudformation资源的低级表示形式.如示例所示，当高级类不能满足您的需要时，您可以同时使用两者.

UserPool is a high-level representation of the resource and is the prefered way to work but not all the properties are implemented yet. CfnUserPool (an any Cfn prefixed class) is a low-level representation that maps to a Cloudformation resource. You can use both when the high-level class don't fulfill your necessities, as in the example.