在为Amplify配置Cognito User Pool时，需要确保read”和“list”操作授权给Authenticated角色。可以通过以下代码实现：

import Amplify, { Auth } from 'aws-amplify'

Amplify.configure({
  Auth: {
    identityPoolId: 'IDENTITY_POOL_ID',
    region: 'REGION',
    userPoolId: 'USER_POOL_ID',
    userPoolWebClientId: 'USER_POOL_WEB_CLIENT_ID',
    mandatorySignIn: true,
    authenticationFlowType: 'USER_PASSWORD_AUTH'
  },
  Storage: { ... },
  API: { ... }
})

// 授权查询操作给Authenticated角色
const user = await Auth.currentAuthenticatedUser()
const credentials = await Auth.currentCredentials()
const { accessKeyId, secretAccessKey, sessionToken } = credentials
const operation = 'cognito-idp:ListUsers'
const params = {
  UserPoolId: 'USER_POOL_ID',
  AttributesToGet: ['email', 'phone_number', 'custom:foo', 'custom:bar']
}
AWS.config.update({
  accessKeyId,
  secretAccessKey,
  sessionToken,
  region: 'REGION'
})
const cognitoClient = new AWS.CognitoIdentityServiceProvider()
const result = await cognitoClient.adminInitiateAuth({
  UserPoolId: 'USER_POOL_ID',
  ClientId: 'USER_POOL_WEB_CLIENT_ID',
  AuthFlow: 'ADMIN_USER_PASSWORD_AUTH',
  AuthParameters: {
    USERNAME: user.username,
    PASSWORD: 'PASSWORD'
  }
}).promise()
const session = result.Session
const response = await cognitoClient.adminRespondToAuthChallenge({
  UserPoolId: 'USER_POOL_ID',
  ClientId: 'USER_POOL_WEB_CLIENT_ID',
  ChallengeName: 'NEW_PASSWORD_REQUIRED',
  Session: session,
  ChallengeResponses: {
    USERNAME: user.username,
    NEW_PASSWORD: 'NEW_PASSWORD'
  }
}).promise()
const accessToken = response.AuthenticationResult.AccessToken
const response = await cognitoClient.createAuthChallenge({
  AccessToken: accessToken,
  ClientId: 'USER_POOL_WEB_CLIENT_ID',
  ChallengeName: operation,
  Session: session,
  // 添加其他查询参数
}).promise()
console.log(response)

需要注意的是，在示例中，认证流程使用了“ADMIN_USER_PASSWORD_AUTH”。如果你的应用程序的认证流程不同，请根据实际情况更改。

另外，示例中的查询操作是“cognito-idp:ListUsers”。如果你需要查询特定的对象，请使用相应的操作名称。