Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In the realm of building secure applications, leveraging Amazon Cognito for user management can significantly enhance your mobile and web applications. Cognito allows you to easily implement user registration, authentication, and access control, enabling you to create a seamless experience for your users. However, it’s crucial to be aware that activating user sign-up within your user pool means that anyone on the internet can register for an account. Therefore, you should only enable self-registration if you want to allow open access to your app.

With Amazon Cognito, you can create user accounts, manage sign-ins, and allow users to update their profiles. Furthermore, it supports sign-ins via external identity providers such as Google, Facebook, and SAML, making it convenient for users to access your services. For applications backed by AWS resources, Cognito provides tools for managing access permissions through AWS Identity and Access Management (IAM) roles.

Recently, several advanced security features were introduced at AWS re:Invent 2017, aimed at enhancing the security of Amazon Cognito user pools. In this guide, I’ll walk you through these features and how to utilize them effectively.

New Advanced Security Features

Amazon Cognito prioritizes security, ensuring user authentication and authorization are handled efficiently. The latest features offer extra layers of protection against compromised credentials and risk-based adaptive authentication.

Compromised Credentials Protection

This feature prevents users from signing in with credentials that have been exposed in other data breaches. It tackles the common issue of users reusing usernames and passwords across multiple sites. By partnering with various organizations, Amazon Cognito can inform you if a set of credentials has been compromised. As a result, if a user attempts to log in with such credentials, they will be required to select a different password.

Risk-Based Adaptive Authentication

The second major feature is risk-based adaptive authentication, which intelligently assesses sign-in attempts. Amazon Cognito assigns a risk score to each sign-in attempt, evaluating factors like the device used, geographic location, and previous sign-in patterns. Depending on the risk score—low, medium, or high—you can decide the appropriate action. For example, you may choose to require multifactor authentication (MFA) when a high risk is detected while allowing users to sign in with just their password during low-risk attempts.

For additional insights regarding MFA and adaptive authentication, refer to the Multi-Factor (MFA) Authentication Settings. Additionally, Amazon Cognito now supports verification of email addresses and mobile numbers during the authentication process.

Metrics and Data

The advanced security features provide valuable metrics on various events, such as sign-up, sign-in, and password recovery attempts, along with risk scores and the outcomes of sign-in attempts and MFA challenges. You can monitor aggregate metrics via the Amazon CloudWatch console, and track individual user sign-in histories within the Amazon Cognito console.

Configuring Advanced Security Features

To configure these advanced security features for your app, you first need to create an Amazon Cognito user pool. Here’s a step-by-step guide:

1. Navigate to the Amazon Cognito console and select “Manage your User Pools.” If you have an existing user pool, select it; otherwise, create a new one.
2. In the MFA and verifications tab, enable MFA as “Optional” to allow users the choice to configure additional authentication factors, which are necessary for adaptive authentication. Choosing “Required” will mandate a second factor for every sign-in and effectively disable adaptive authentication.
3. Enable at least one second factor of authentication, such as SMS or Time-based One-time Passwords (TOTPs).
4. Create an app client by selecting “Add an App Client,” entering a name, and clicking “Create App Client.”

Next, configure the advanced security features:

1. Once your user pool is saved, access the Advanced Security tab. Here, you can choose from three modes: Yes, Audit only, or No.
• Selecting “No” disables all advanced features.
• “Audit only” logs events to CloudWatch, allowing you to monitor risks without taking protective actions. This mode is ideal for understanding event patterns before fully enabling the features.
• Choosing “Yes” activates the advanced security features. It’s recommended to initially run these features in Audit only mode for a couple of weeks.

Upon enabling the advanced features, you can configure default settings for your app clients or set specific options for individual clients. Decide on the actions to take when compromised credentials are identified, such as allowing or blocking access.

Incorporating these features not only enhances the security of your application but also provides a better user experience. For more information regarding workplace discrimination, check out this blog post on facing discrimination at work. For authoritative insights on talent acquisition, refer to SHRM. If you’re looking for career opportunities, consider exploring this excellent resource.