Turning off advanced security features - Amazon Cognito

Turning off advanced security features

Advanced security features add configuration options to your user pool. Whenever at least one of these features is in use, advanced security is active. To deactivate these features, you must deactivate each active component. The Deactivate option in the Advanced security tab of the Amazon Cognito console turns off each of these features for you. With this chapter, you can learn the changes that deactivation makes to your user pool configuration, and how to turn off these features individually.

Access token customization

When you deactivate advanced security from the Advanced security tab, Amazon Cognito removes the pre token generation Lambda trigger from your user pool. To add a new pre token generation trigger without access token customization, assign a new function to the trigger and configure it for V1_0 events. These version one trigger events can process changes to ID tokens only.

To manually deactivate access token customization, remove your pre token generation trigger and add a new version one trigger.

Threat protection

When you deactivate advanced security from the Advanced security tab, Amazon Cognito deactivates all threat prevention features. Your user pool no longer processes context data, monitors for compromised credentials, or evaluates user activity for security risks.

No manual action is available to deactivate threat protection. Activation and deactivation of advanced security features activates or deactivates threat protection.

Log export

When you deactivate advanced security from the Advanced security tab, Amazon Cognito deactivates log export. Your user pool no longer generates local or exported user-activity logs.

To deactivate log export, select Edit next to Export user activity logs in the Advanced security tab of the console. You can also send a SetLogDeliveryConfiguration API request that removes any configuration with an EventSource value of UserActivity.

Email MFA

In the Sign-in experience tab of your user pool, edit Multi-factor authentication and deselect Email message as one of the available MFA methods.