I'm not sure what permissions are needed to create a UserPool. There is
no AWS managed policies for creating/updating/deleting a UserPool. In the
description of one of the managed Cognito policies, it says:

>  You will need AWS account admin privileges to create new Cognito resources.

For my testing, I used the AdministratorAccess managed policy.

To follow the principle of least privilege, it's not clear which actions
Crossplane needs access to it. Here is a list of some areas that it might
touch:

* cognito-identity
* cognito-ip
* cognito-sync
* iam
* kinesis
* lambda
* sns
* ses
* mobiletargeting
* acm
* sms-voice