Profile Applicability:
- Level 1
Description:
Amazon Cognito provides user authentication and management services, and securing sign-ins is crucial for preventing malicious access attempts. To help secure user pools, Cognito offers features that allow the blocking of malicious sign-in attempts, such as brute-force login attempts and login attempts with stolen credentials. This SOP ensures that the Cognito User Pool is configured to block these attempts using features like adaptive authentication, multi-factor authentication (MFA), and account lockout policies.
Rationale:
Security: Blocking malicious sign-ins helps prevent unauthorized access and data breaches by identifying and mitigating brute-force attacks, stolen credentials, and other malicious activities.
Compliance: Many compliance frameworks (e.g., PCI-DSS, HIPAA) require robust security measures to protect user authentication data from unauthorized access.
Best Practices: Ensuring that Cognito User Pools are configured to block malicious sign-ins aligns with security best practices for user authentication.
Impact:
Pros:
Reduced Risk of Unauthorized Access: By blocking malicious attempts, the risk of unauthorized access to sensitive data is minimized.
Protection Against Brute-Force Attacks: Prevents attackers from attempting multiple password guesses.
Enhanced Security: Improved defense against credential stuffing and other forms of attack, including the use of weak passwords.
Cons:
User Impact: Legitimate users could be temporarily locked out if they fail to provide correct sign-in details multiple times, which could lead to potential inconvenience.
Additional Configuration: May require configuring adaptive authentication and MFA policies, which adds to the setup and maintenance complexity.
Default Value:
By default, Amazon Cognito does not block sign-in attempts or enforce adaptive authentication or MFA. These protections must be configured manually.
Pre-requisite:
AWS IAM Permissions:
cognito-idp:DescribeUserPool
cognito-idp:UpdateUserPool
cognito-idp:SetRiskConfiguration
AWS CLI installed and configured.
Cognito User Pool is set up and operational.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Cognito under Services.
In the Cognito Dashboard, select User Pools.
Select the User Pool to check and review its sign-in settings under Security or MFA and verifications.
Ensure that adaptive authentication (e.g., risk-based MFA) is enabled and configured to detect and block malicious sign-ins.
Check that multi-factor authentication (MFA) is configured for enhanced security, especially for high-risk sign-in attempts.
Ensure the account lockout settings are configured to lock accounts after several failed login attempts.
Using AWS CLI:
To describe the Cognito User Pool and verify its configuration for malicious sign-in prevention:
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.MfaConfiguration'
To check if adaptive authentication is enabled, run:
aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id> --query 'RiskConfiguration'
Review the output to ensure that the configuration aligns with best practices for blocking malicious sign-ins.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Cognito.
In the Cognito Dashboard, select User Pools and choose the User Pool to modify.
Under MFA and verifications:
Ensure that multi-factor authentication (MFA) is enabled, especially for high-risk sign-in attempts.
Enable adaptive authentication and configure it to detect suspicious activities, such as unfamiliar IP addresses or devices.
Under Risk Configuration, enable account lockout settings to block access after a specific number of failed login attempts.
Save changes to apply the configurations to the Cognito User Pool.
Using AWS CLI:
To enable MFA and adaptive authentication for a Cognito User Pool, run:
aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --mfa-configuration "ON"
To enable adaptive authentication and configure risk-based authentication, run:
aws cognito-idp set-risk-configuration --user-pool-id <user-pool-id> --risk-configuration '{"accountTakeoverRiskConfiguration": {"action": {"notify": {"status": "ENABLED"}}, "riskExceptionConfiguration": {"blockEmail": true}}}'
Verify the configuration by checking the risk configuration:
aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id> --query 'RiskConfiguration'
Backout Plan:
Using AWS Console:
If enabling Advanced Security causes issues, sign in to the AWS Management Console.
Navigate to Amazon Cognito and select the User Pool.
Under General Settings, go to Advanced Security and disable Advanced Security or set the security mode to OFF.
Save the changes.
Using AWS CLI:
To disable Advanced Security for the User Pool, run the following command:
aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --advanced-security-mode "OFF" --region <REGION>
Verify that Advanced Security has been disabled by describing the User Pool again:
aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>