Adding Advanced Security to a User Pool - Amazon Cognito

Adding Advanced Security to a User Pool

After you create your user pool, you have access to Advanced security on the navigation bar in the Amazon Cognito console. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See Viewing Advanced Security Metrics.


Additional pricing applies for Amazon Cognito advanced security features. See the Amazon Cognito pricing page.


Before you begin, you need:

Configuring Advanced Security Features

To configure advanced security for a user pool

  1. From the left navigation bar, choose Advanced security.

  2. For Do you want to enable advanced security features for this user pool?, choose Yes to enable advanced security. Or choose Audit only to gather information, and send user pool data to Amazon CloudWatch.

    We recommend keeping the advanced security features in audit mode for two weeks before enabling actions. This allows Amazon Cognito to learn the usage patterns of your app users.

  3. From the drop-down list, choose What app client do you want to customize settings for?. The default is to leave your settings as global for all app clients.

  4. For Which action do you want to take with the compromised credentials?, choose Allow or Block use.

  5. Choose Customize when compromised credentials are blocked to select which events should trigger compromised credentials checks:

    • Sign-in

    • Sign-up

    • Password change

  6. Choose how to respond to malicious sign-in attempts under How do you want to use adaptive authentication for sign-in attempts rated as low, medium and high risk?. You can allow or block the sign-in attempt, or require additional challenges before allowing the sign-in.

    To send email notifications when anomalous sign-in attempts are detected, choose Notify users .

              Notify users
  7. If you chose Notify users in the previous step, then you can customize the email notification messages by using the Notification message customization form:

              User event history
  8. Choose Customize to customize adaptive authentication notifications with both HTML and plaintext email versions. To learn more about email templates, see Message Templates.

  9. Type any IP addresses that you want to Always allow, or Always block, regardless of the advanced security risk assessment. Specify the IP address ranges in CIDR notation (such as

  10. Choose Save changes.