Profile Applicability:
Level 1
Description:
Amazon Cognito User Pools are used to manage user authentication and store user profiles. Token revocation is a security mechanism that ensures access tokens (such as ID and refresh tokens) are invalidated when necessary, such as after a user logs out, a password is changed, or an account is compromised. Enabling token revocation ensures that users' access to your application is promptly terminated, enhancing security by preventing unauthorized access with stale or invalid tokens.
Rationale:
Security: Token revocation prevents unauthorized access by ensuring that tokens used by compromised or inactive users cannot be used for authentication.
Compliance: Many security frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require token revocation as part of session management and user access control policies.
Operational Control: Token revocation allows better control over user sessions and the ability to enforce access controls more effectively.
Impact:
Pros:
Improved Security: Ensures that access tokens are revoked in cases of user inactivity or compromise.
Compliance: Helps meet security requirements for session management and authentication.
User Control: Allows administrators to revoke access tokens for users if necessary (e.g., for compromised accounts).
Cons:
Operational Complexity: Requires proper management of token expiration and revocation, adding some complexity to your application logic.
Performance Overhead: In some cases, frequent token revocations might add some load on authentication systems due to constant validation.
Default Value:
By default, Amazon Cognito does not have token revocation enabled. Token revocation must be explicitly configured for the user pool to ensure that access tokens are properly invalidated when necessary.
Pre-requisite:
AWS IAM Permissions:
cognito-idp:DescribeUserPool
cognito-idp:UpdateUserPool
AWS CLI installed and configured.
Cognito User Pool created and operational.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Cognito under Services.
Select the User Pools.
Choose the user pool to check for token revocation configuration.
Under the App client settings, check the Token revocation option.
If token revocation is enabled, you will see that the configuration for token revocation is set.
If it is not enabled, you will see an option to enable it.
If token revocation is not enabled, follow the Implementation Steps below to enable it.
Using AWS CLI:
To describe the Cognito User Pool and check the token revocation status, run:
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.TokenRevocation'
The output will indicate whether token revocation is enabled or not.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon Cognito.
In the Cognito Console, select User Pools and choose the user pool.
Under App client settings, enable Token Revocation.
Review and save the changes to enable token revocation.
Using AWS CLI:
To enable token revocation for a Cognito User Pool, run the following command:
aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --token-revocation-enabled true
To verify the change, run:
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.TokenRevocation'
Backout Plan:
Using AWS Console:
If enabling token revocation causes issues, sign in to the AWS Management Console.
Navigate to Amazon Cognito and select the User Pool.
Under App Clients, choose the relevant App Client.
Uncheck Enable token revocation to disable it.
Save the changes.
Using AWS CLI:
To disable token revocation for an App Client, run the following command:
aws cognito-idp update-user-pool-client --user-pool-id <USER_POOL_ID> --client-id <CLIENT_ID> --revocation-enabled false --region <REGION>
Verify that token revocation has been disabled by describing the User Pool again:
aws cognito-idp describe-user-pool-client --user-pool-id <USER_POOL_ID> --client-id <CLIENT_ID>
