Turning off advanced security features
Advanced security features add configuration options to your user pool. Whenever at least one of these features is in use, advanced security is active. To deactivate these features, you must deactivate each active component. The Deactivate option in the Advanced security tab of the Amazon Cognito console turns off each of these features for you. With this chapter, you can learn the changes that deactivation makes to your user pool configuration, and how to turn off these features individually.
- Access token customization
-
When you deactivate advanced security from the Advanced security tab, Amazon Cognito removes the pre token generation Lambda trigger from your user pool. To add a new pre token generation trigger without access token customization, assign a new function to the trigger and configure it for
V1_0
events. These version one trigger events can process changes to ID tokens only.To manually deactivate access token customization, remove your pre token generation trigger and add a new version one trigger.
- Threat protection
-
When you deactivate advanced security from the Advanced security tab, Amazon Cognito deactivates all threat prevention features. Your user pool no longer processes context data, monitors for compromised credentials, or evaluates user activity for security risks.
No manual action is available to deactivate threat protection. Activation and deactivation of advanced security features activates or deactivates threat protection.
- Log export
-
When you deactivate advanced security from the Advanced security tab, Amazon Cognito deactivates log export. Your user pool no longer generates local or exported user-activity logs.
To deactivate log export, select Edit next to Export user activity logs in the Advanced security tab of the console. You can also send a SetLogDeliveryConfiguration API request that removes any configuration with an
EventSource
value ofUserActivity
. - Email MFA
-
In the Sign-in experience tab of your user pool, edit Multi-factor authentication and deselect Email message as one of the available MFA methods.