Profile Applicability:

  • Level 1

Description:

Amazon Cognito provides user authentication and access management services for web and mobile applications. One of the advanced security features of Amazon Cognito User Pools is the ability to detect and block sign-ins from users with suspected compromised credentials. Enabling this feature allows Cognito to automatically block any suspicious or anomalous sign-in attempts and protect your users from unauthorized access, helping to ensure the integrity of your authentication system.

Rationale:

  • Security: Enabling advanced security features in Cognito User Pools helps detect and block potentially malicious sign-ins from users whose credentials may have been compromised (e.g., due to phishing or data breaches).

  • Compliance: Many regulatory frameworks such as SOC 2, HIPAA, and PCI-DSS require measures to prevent unauthorized access, including blocking access for users with suspicious sign-ins.

  • Best Practices: Enabling this feature follows security best practices to minimize the risk of credential stuffing, brute force, and other forms of account compromise.

Impact:

Pros:

  • Enhanced Security: Automatically blocks compromised accounts from accessing your applications, reducing the risk of unauthorized access.

  • Compliance: Helps meet compliance standards by mitigating the risk of compromised credentials and ensuring access controls are in place.

  • Automated Protection: Reduces the burden on administrators by automatically detecting and blocking suspicious activities.

Cons:

  • False Positives: Legitimate users might sometimes be flagged as suspicious, causing temporary access issues. It's important to review and manage user feedback to prevent unnecessary disruptions.

  • Additional Overhead: Enabling advanced security features may require additional configuration and monitoring to ensure it aligns with organizational security needs.

Default Value:

By default, Amazon Cognito does not enable advanced security features for detecting and blocking compromised credentials. This must be explicitly configured in the Cognito User Pool settings.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool created and operational.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. Select User Pools and choose the user pool to check.

  4. Under General settings, select Advanced security.

  5. Verify that the Compromised credentials feature is enabled.

    • If enabled, it will display as "Enabled" under Advanced security settings.

    • If not, proceed with enabling it as per the Implementation Steps below.

Using AWS CLI:

  1. To describe the Cognito User Pool and check the advanced security features, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AdvancedSecurityMode'

  2. If the output shows "AdvancedSecurityMode": "ENFORCED", it indicates that advanced security features are enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito.

  3. In the Cognito Console, select User Pools and choose the user pool you want to update.

  4. Under General settings, select Advanced security.

  5. Enable Advanced security features by selecting ENFORCED under Advanced security mode.

  6. Save the changes to enable the detection of compromised credentials.

Using AWS CLI:

  1. To enable advanced security features and block sign-ins from users with suspected compromised credentials, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --advanced-security-mode ENFORCED

  2. Verify the change by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AdvancedSecurityMode'

  3. Ensure that the result shows ENFORCED under AdvancedSecurityMode.

Backout Plan:

Using AWS Console:

  1. If the change to Advanced Security causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies and disable Advanced Security.

  4. Save the changes.

Using AWS CLI:

  1. To disable Advanced Security, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --advanced-security-mode "OFF" --region <REGION>

  2. Verify that the change has been applied by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.