Using Amazon Cognito user pools security features
You might want to secure your application against network intrusion, password guessing, user
impersonation, and malicious sign-up and sign-in. Your configuration of Amazon Cognito user pools security
features can be a key component in your security architecture. The security of your application
is Customer responsibility "Security in the cloud" as
described in the AWS Shared Responsibility Model
An important decision that you must make when you configure your user pool is whether to permit public sign-up and sign-in. Some user pool option like confidential clients, administrative creation and confirmation of users, and user pools without a domain, are subject to a smaller degree to attacks over the internet. However, a common use case is public clients that accept sign-up from anyone on the internet and send all operations directly to your user pool. In any configuration, but especially in the case of these public configurations, we recommend that you plan and deploy your user pool with security features in mind. Insufficient security can also affect your AWS bill when unwanted sources create new active users or attempt to exploit existing users.
MFA and threat protection apply to local users. Third-party IdPs are responsible for the security posture of federated users.
User pools security features
- Multi-factor authentication (MFA)
-
Request a code that your user pool send by email (with the Essentials or Plus feature plan) or SMS message, or from an authenticator app, to confirm user pool sign-in.
- Threat protection
-
Monitor sign-in for indicators of risk and apply MFA or block sign-in. Add custom claims and scopes to access tokens. Send MFA codes by email.
- AWS WAF web ACLs
-
Inspect incoming traffic to your user pool endpoints and authentication API for unwanted activity at the network and application layers.
- Case sensitvity
-
Prevent creation of users whose email address or preferred username is identical to another user except for character case.
- Deletion protection
-
Prevent automated systems from accidentally deleting your user pools. Require additional confirmation of user pool deletion in the AWS Management Console.
- User existence errors
-
Guard against disclosure of existing usernames and aliases in your user pool. Return a generic error in response to unsuccessful authentication, whether the username is valid or not.