Working with compromised-credentials detection
Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks local users who sign in with username and password, in managed login and with the Amazon Cognito API. A local user exists exclusively in your user pool directory without federation through an external IdP.
From the Threat protection menu of the Amazon Cognito console, you can configure Compromised credentials. Configure Event detection to choose the user events that you want to monitor for compromised credentials. Configure Compromised credentials responses to choose whether to allow or block the user if compromised credentials are detected. Amazon Cognito can check for compromised credentials during sign-in, sign-up, and password changes.
When you choose Allow sign-in, you can review Amazon CloudWatch Logs to monitor
the evaluations that Amazon Cognito makes on user events. For more information, see Viewing threat
protection metrics. When you choose
Block sign-in, Amazon Cognito prevents sign-in by users who use compromised
credentials. When Amazon Cognito blocks sign-in for a user, it sets the user's UserStatus
to RESET_REQUIRED
. A user with a
RESET_REQUIRED
status must change their password before they can sign in
again.
Note
Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow. SRP sends a hashed proof of password during sign-in. Amazon Cognito doesn't have access to passwords internally, so it can only evaluate a password that your client passes to it in plaintext.
Amazon Cognito checks sign-ins that use the AdminInitiateAuth API with ADMIN_USER_PASSWORD_AUTH
flow, and the
InitiateAuth API with USER_PASSWORD_AUTH
flow, for compromised
credentials.
To add compromised credentials protections to your user pool, see Advanced security with threat protection.