User pool advanced security features

After you create your user pool, you have access to Advanced security on the navigation bar in the Amazon Cognito console. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. You can see advanced security metrics after Amazon Cognito generates its first advanced security event. See Viewing threat protection metrics.

Additional pricing applies for advanced security features. For more information, see Amazon Cognito pricing.

The following user pool options are the components of advanced security features .

Access token customization

When you activate advanced security features, you can configure your user pool to accept responses to a version 2 Lambda trigger event. With version 2, you can customize scopes and other claims in access tokens. This increases your ability to create flexible authorization outcomes when your users authenticate. For more information, see Customizing the access token.

Threat protection

Threat protection is a set of monitoring tools for unwanted activity in your user pool, and configuration tools to automatically shut down potentially malicious activity. Threat protection has different configuration options for standard and custom authentication operations. For example, you might want to send a notification to a user with a suspicious custom authentication sign-in, where you have set up additional security factors, but block a user at the same risk level with basic username-password authentication.

Compromised credentials

Users reuse passwords for multiple user accounts. The compromised credentials feature of Amazon Cognito compiles data from public leaks of user names and passwords, and compares your users' credentials to lists of leaked credentials. Compromised credentials detection also checks for commonly-guessed passwords. You can check for compromised credentials in username-and-password standard authentication flows in user pools. Amazon Cognito doesn't detect compromised credentials in secure remote password (SRP) or custom authentication.

You can choose the user actions that prompt a check for compromised credentials, and the action that you want Amazon Cognito to take in response. For sign-in, sign-up, and password-change events, Amazon Cognito can Block sign-in, or Allow sign-in. In both cases, Amazon Cognito generates a user activity log where you can find more information about the event.

Adaptive authentication

Amazon Cognito can review location and device information from your users' sign-in requests and apply an automatic response to secure the user accounts in your user pool against suspicious activity. You can monitor user activity and automate responses to detected risk levels in username-password and SRP, and custom authentication.

When you activate advanced security, Amazon Cognito assigns a risk score to user activity. You can assign an automatic response to suspicious activity: you can Require MFA, Block sign-in, or just log the activity details and risk score. You can also automatically send email messages that notify your user of the suspicious activity so that they can reset their password or take other self-guided actions.

IP address allowlist and denylist

With Amazon Cognito advanced security features in Full function mode, you can create IP address Always block and Always allow exceptions. A session from an IP address on the Always block exception list isn't assigned a risk level by adaptive authentication, and can't sign in to your user pool.

Log export

Advanced security features logs granular details of users' authentication requests to your user pool. These logs feature threat assessments, user information, and session metadata like location and device. You can create external archives of these logs for retention and analysis. Amazon Cognito user pools export threat protection logs to Amazon S3, CloudWatch Logs, and Amazon Data Firehose. For more information, see Viewing and exporting user event history.

Email MFA

Extend the multi-factor authentication (MFA) capabilities of your user pool. By default, user pools can generate codes in an SMS message or with with private time-based one-time password (TOTP) key that you share with users' authenticator apps. With advanced security features and an Amazon SES email-sending configuration, you can activate email MFA for users in the user pool, set email as a preferred MFA method and send MFA codes to a user's email address. For more information, see Email MFA.

Password reuse prevention

Users might go back and forth between a few remembered passwords. Compromised credentials detection in threat protection can mitigate some of the long-term effects of poor password management. A password-history policy takes care of the rest. With password reuse prevention, you can compares user's new passwords to their last n passwords, up to 24, and block the password-reset operation if there's a match.

Topics

• Considerations and limitations for advanced security features
• Turning on advanced security features
• Access token customization
• Threat protection
• Email MFA
• Password reuse prevention
• Turning off advanced security features

Considerations and limitations for advanced security features

Threat protection options differ between authentication flows

Amazon Cognito supports both adaptive authentication and compromised-credentials detection with the authentication flows USER_PASSWORD_AUTH and ADMIN_USER_PASSWORD_AUTH. You can enable only adaptive authentication for USER_SRP_AUTH. You can't use threat protection with federated sign-in.

Always-block IPs contribute to request quotas

Blocked requests from IP addresses on an Always block exception list in your user pool contribute to the request rate quotas for your user pools.

Threat protection doesn't apply rate limits

Some malicious traffic has the characteristic of a high volume of requests, like distributed denial of service (DDoS) attacks. The risk ratings that Amazon Cognito applies to incoming traffic are per-request and don't take request volume into account. Individual requests in a high-volume event might receive a risk score and an automated response for application-layer reasons that aren't related to their role in a volumetric attack. To implement defenses against volumetric attacks in your user pools, add AWS WAF web ACLs. For more information, see Associating an AWS WAF web ACL with a user pool.

Threat protection doesn't affect M2M requests

Client credentials grants are intended for machine-to-machine (M2M) authorization with no connection to user accounts. Advanced security features only monitor user accounts and passwords in your user pool. To implement security features with your M2M activity, consider the capabilities of AWS WAF for monitoring request rates and content. For more information, see Associating an AWS WAF web ACL with a user pool.

Turning on advanced security features

Amazon Cognito user pools console

To activate advanced security features for a user pool

1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

2. Choose User Pools.

3. Choose an existing user pool from the list, or create a user pool.

4. Choose the Advanced security tab and select Activate.

5. Choose Save changes.

API

Set advanced security features active in a CreateUserPool or UpdateUserPool API request. The following partial example request body sets advanced security features to full-function mode. For a complete example request, see Examples.

"UserPoolAddOns": { 
      "AdvancedSecurityMode": "ENFORCED"
   }