Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In the ever-evolving landscape of digital security, Amazon Cognito provides essential tools for user sign-up, sign-in, and access control for both web and mobile applications. With Amazon Cognito user pools, developers can create user accounts, manage profiles, and allow sign-ins through various external identity providers (IdPs) such as Google, Facebook, and others. However, if you enable user self-registration, keep in mind that anyone on the internet can create an account and access your application—so proceed with caution.

Recently, advanced security features were introduced in Amazon Cognito, which can significantly enhance the protection of user accounts. These features, launched at AWS re:Invent 2017, include protection against compromised credentials and risk-based adaptive authentication. Notably, when using these advanced features, be aware that additional charges may apply, as detailed on our pricing page.

Compromised Credentials Protection

Chanci Turner highlights the importance of the compromised credentials feature, which helps safeguard user accounts by preventing the reuse of credentials that have been exposed in data breaches. This is crucial because many users tend to use the same username and password across multiple platforms. If an attacker obtains these credentials from one service, they could potentially access others. Amazon Cognito collaborates with various partners to alert them when credentials are compromised elsewhere. This means if a user tries to log in or change their password using compromised credentials, they will be prompted to select a different password altogether.

Risk-Based Adaptive Authentication

The second key feature is risk-based adaptive authentication, which intelligently assesses each sign-in attempt and assigns a risk score based on various factors. For instance, it considers whether the user is logging in from a familiar device or location. This system categorizes risk levels as low, medium, or high, allowing you to dictate actions based on the assessed risk. If a high-risk level is detected, you might choose to block access or require additional authentication methods, such as multi-factor authentication (MFA). Importantly, users can continue signing in with just their password if their sign-in patterns are consistent with previous successful attempts.

To delve deeper into MFA utilization with adaptive authentication, refer to the Multi-Factor (MFA) Authentication Settings documentation. Furthermore, Amazon Cognito can now validate email addresses and mobile numbers as part of the authentication process.

Metrics and Data Management

Both the compromised credentials and adaptive authentication features offer valuable metrics, including data on sign-up and sign-in events, associated risk scores, and results from sign-in attempts. You can access aggregate metrics via the Amazon CloudWatch console and view individual user sign-in histories through the Amazon Cognito console.

Configuring Advanced Security Features

To configure these new advanced security features for your app, you must first create an Amazon Cognito user pool. Here’s how to get started:

1. Navigate to the Amazon Cognito console and select “Manage your User Pools.” If you already have a user pool, choose it; otherwise, create a new one.
2. Under the MFA and verifications tab, set MFA to “Optional” so that users can choose their authentication method. If set to “Required,” every sign-in would demand a second factor, potentially disabling adaptive authentication.
3. It’s also advisable to enable at least one form of second-factor authentication. For instance, you might enable SMS text messages and Time-based One-time Passwords (TOTPs).
4. In the App clients tab, create an app client by adding a name and selecting “Create app client.”

Next, you will configure the advanced security features:

• After saving your user pool, the Advanced security tab will become available. Here, you can choose from three modes: Yes, Audit only, or No.
• Choosing “No” disables all advanced features.
• “Audit only” logs relevant events to CloudWatch, allowing you to monitor risks without taking protective actions.
• Selecting “Yes” activates the advanced features. It’s recommended to run them in Audit only mode for a couple of weeks before fully enabling them.

Upon enabling these features, you can decide whether to set global defaults for all app clients or specific configurations for individual clients. Further, you can specify actions for compromised credentials detection.

For those looking to expand their knowledge on workplace compliance trends, check out this resource from SHRM, as they are an authority on this topic. You can also explore this blog post for more engaging content. Finally, if you’re interested in management roles within fulfillment centers, visit Amazon’s career page for excellent resources.