Profile Applicability:
- Level 2
Description:
Amazon Cognito User Pools provide a fully managed user directory and authentication for web and mobile apps. Advanced Security features in Cognito User Pools provide enhanced protection against potential threats such as compromised accounts, fraud, and malicious sign-in attempts. This SOP ensures that Advanced Security is enabled with full functionality in Cognito User Pools. This includes features such as adaptive authentication, multi-factor authentication (MFA), and risk-based authentication, helping protect user accounts from unauthorized access.
Rationale:
Security: Enabling Advanced Security features in Cognito User Pools helps prevent unauthorized access and provides better detection and mitigation of account compromises or fraudulent activity.
Compliance: Compliance frameworks, such as SOC 2 and HIPAA, require enhanced security features to protect user data, including advanced authentication and fraud prevention mechanisms.
Best Practices: Advanced Security improves the protection of sensitive user data and strengthens the security posture of authentication processes, reducing risks associated with brute force and fraud attempts.
Impact:
Pros:
Enhanced Security: Advanced Security features like adaptive authentication and MFA protect user accounts against unauthorized access, improving overall security.
Fraud Prevention: Risk-based authentication helps detect and prevent fraud, ensuring legitimate users are not incorrectly blocked while identifying suspicious activity.
Compliance: Helps meet security and compliance requirements for strong authentication mechanisms, improving trust with users.
Cons:
User Inconvenience: Advanced security features may require additional steps for users during sign-in (e.g., MFA), which can create friction in the user experience.
Configuration Complexity: Setting up advanced security features may require careful planning and additional configuration steps.
Default Value:
By default, Advanced Security features are not enabled in Amazon Cognito User Pools. These features must be explicitly enabled by the administrator.
Pre-requisite:
AWS IAM Permissions:
cognito-idp:DescribeUserPool
cognito-idp:UpdateUserPool
AWS CLI installed and configured.
Cognito User Pool is set up and operational.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Cognito under Services.
In the Cognito Dashboard, select User Pools.
Choose the User Pool you want to configure.
Under User Pool Settings, navigate to the Advanced Security section.
Verify that Advanced Security is enabled with full function:
Adaptive Authentication should be enabled to adjust security checks based on risk levels.
MFA should be enabled as an additional layer of security.
Risk-based authentication should be activated to assess sign-in attempts and detect unusual patterns.
If any of these features are not enabled, proceed with enabling them as described in the Implementation Steps below.
Using AWS CLI:
To describe the Cognito User Pool and check if Advanced Security features are enabled, run:
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AdminCreateUserConfig'
Review the output to confirm that Advanced Security features are enabled. If these features are not enabled, proceed with the configuration in the Implementation Steps.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon Cognito.
In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.
Under User Pool Settings, go to the Advanced Security section.
Enable Advanced Security features with full functionality:
Enable Adaptive Authentication: This automatically adjusts security measures based on the risk level of the sign-in attempt.
Enable Multi-Factor Authentication (MFA): This enforces an additional layer of authentication to verify user identity.
Enable Risk-based Authentication: This helps detect malicious or risky behavior such as high-risk IP addresses or fraudulent sign-ins.
Save the changes to apply Advanced Security settings.
Using AWS CLI:
To enable Advanced Security with full functionality, including MFA, adaptive authentication, and risk-based authentication, run:
aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --mfa-configuration ON --policies '{"PasswordPolicy": {"MinimumLength": 8, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true}}' --risk-based-authentication-policy '{"Actions": {"SignIn": "ENABLED"}}'Verify the update by running:
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AdminCreateUserConfig'
Ensure Advanced Security settings are configured correctly with the necessary features enabled.
Backout Plan:
Using AWS Console:
If enabling Advanced Security with full functionality causes issues, sign in to the AWS Management Console.
Navigate to Amazon Cognito and select the User Pool.
Under General Settings, go to Advanced Security and disable Advanced Security or set the security mode to OFF.
Save the changes.
Using AWS CLI:
To disable Advanced Security, run the following command:
aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --advanced-security-mode "OFF" --region <REGION>
Verify that Advanced Security has been disabled by describing the User Pool again:
aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>