Using Amazon Cognito user pools security features

You might want to secure your application against network intrusion, password guessing, user impersonation, and malicious sign-up and sign-in. Your configuration of Amazon Cognito user pools security features can be a key component in your security architecture. The security of your application is Customer responsibility "Security in the cloud" as described in the AWS Shared Responsibility Model. The tools in this chapter contribute to the ability of your application security design to be in line with these goals.

An important decision that you must make when you configure your user pool is whether to permit public sign-up and sign-in. Some user pool option like confidential clients, administrative creation and confirmation of users, and user pools without a domain, are subject to a smaller degree to attacks over the internet. However, a common use case is public clients that accept sign-up from anyone on the internet and send all operations directly to your user pool. In any configuration, but especially in the case of these public configurations, we recommend that you plan and deploy your user pool with security features in mind. Insufficient security can also affect your AWS bill when unwanted sources create new active users or attempt to exploit existing users.

MFA and advanced security features apply to local users. Third-party IdPs are responsible for the security posture of federated users.

User pools security features

Multi-factor authentication (MFA): Request a code that your user pool send by SMS message, or from an authenticator app, to confirm user pool sign-in.
Advanced security features: Monitor sign-in for indicators of risk and apply MFA or block sign-in. Add custom claims and scopes to access tokens. Send MFA codes by email.
AWS WAF web ACLs: Inspect incoming traffic to your user pool endpoints and authentication API for unwanted activity at the network and application layers.
Case sensitvity: Prevent creation of users whose email address or preferred username is identical to another user except for character case.
Deletion protection: Prevent automated systems from accidentally deleting your user pools. Require additional confirmation of user pool deletion in the AWS Management Console.
User existence errors: Guard against disclosure of existing usernames and aliases in your user pool. Return a generic error in response to unsuccessful authentication, whether the username is valid or not.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Accessing AWS resources using an identity pool

Adding MFA