Amazon Cognito advanced security features provide enhanced protection against compromised credential and account takeover risks. The adaptive authentication component of advanced security features generates a risk score based on various factors including device and user information, for how likely the sign-in request is to be from a compromised source. You can use the risk rating to configure adaptive authentication for each user’s authentication attempt. The user authentication logs can be exported to external log-management systems like Amazon S3, Amazon data Firehose, or CloudWatch Logs. With advanced security features you can prevent reuse of previous passwords to increase the security posture of your application.
Now, Amazon Cognito can capture the risk score for the custom authentication flow. It can evaluate and respond to indicators of suspicious authentication activity by users who sign in with custom-challenge authentication flows.
Organizations using the custom authentication flow can leverage this feature to help early detection of suspicious unauthorized activity. You can implement mitigation strategies to block malicious threat actors and help you establish intelligence for an overall security monitoring and detection program.
Steps to enable threat protection for custom authentication :
In the Advanced security tab, select Set up full-function mode for Threat protection for custom authentication.
For the custom authentication flow, you can select No Enforcement, Audit-only or Full-function mode.
No enforcement - Cognito doesn’t gather metrics on detected risks or automatically take preventive actions. Audit-Only - Cognito gathers metrics on detected risks, but doesn’t take automatic action. Full-function - Cognito automatically takes preventive actions in response to different level of risk that you configure for your user pool.
4.If you are selecting Full-function mode then you can configure automatic risk responses as shown in below screenshot.
For each risk level, you can choose from the following options:
Allow - Users can sign in without an additional factor.
Optional MFA- Users who have a second factor configured must complete a second factor challenge to sign in. Users without a second factor configured can sign in with only one set of credentials.
Require MFA - Users who have a second factor configured must complete a second factor challenge to sign in. Cognito blocks sign-in for users who don't have a second factor configured.
Block - Cognito blocks all sign-in attempts at the designated risk level.
5.Choose Save changes.
Now, if your application is using the custom authentication flow and a user is trying to authenticate, Cognito will capture event history and take action based on your adaptive authentication configuration. Below is a sample user event history that gets captured when user is authenticating using custom authentication flow.
Conclusion:
With the new threat protection for custom authentication flow in Amazon Cognito, you can now monitor user activity even when your users sign in with the custom authentication flow. This feature allows configuring automatic response based on identified risk levels to protect your application from any threats, and increases security posture of application. To learn more, visit Threat protection in the Amazon Cognito Developer Guide.
Try out this new addition to Amazon Cognito advanced security features and share your feedback!
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.
