Amazon Cognito
Developer Guide

Configuring Advanced Security for Amazon Cognito User Pools

After you create your user pool, you will have access to the Advanced security tab. From there you can customize settings for risk-based adaptive authentication and for protection against compromised credentials:

  • Turn on protection against compromised credentials for specific operations for your users.

  • Turn on adaptive authentication to add protections against malicious sign-in attempts that are rated as low-risk, medium-risk, or high-risk.

  • Notify your user by email when anomalous sign-in attempts are detected.

  • Customize the notification messages sent to users.

  • Choose to always allow or always block certain IP addresses regardless of risk detection.

You can turn the advanced security features on and customize the actions taken in response to different risks or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features will publish metrics to Amazon CloudWatch. See Viewing Advanced Security Metrics.

We recommend keeping the advanced security features in audit mode for two weeks before enabling actions. This enables Amazon Cognito to learn usage patterns for advanced security protections.


Additional pricing applies for Amazon Cognito advanced security features. See the Amazon Cognito pricing page.