AWS Cognito | Security Requirement and Password Management

Security Requirement for AWS Cognito

Prev Question Next Question

Question

You are developing an application that is going to make use of AWS Cognito.

The default sign-in and sign-up features of the AWS Cognito service will be used.

There is a security requirement to ensure that if the user's credentials are compromised, then they would need to use a new password.

Which of the following needs to be in place for this? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

This is given in the AWS Documentation.

Option C is incorrect since this configuration needs to be done in the Advanced Security section.

Option D is incorrect.

Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow, which doesn't send the password during sign-in.

For more information on Cognito User pools, please refer to the below URL-

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html
Checking for Compromised Credentials

Amazon Cognito can detect if a user’s credentials (user name and password) have been compromised elsewhere. This can happen
when users reuse credentials at more than one site, or when they use passwords that are easy to guess.

From the Advanced security page in the Amazon Cognito console, you can choose whether to allow, or block the user if
compromised credentials are detected. Blocking requires users to choose another password. Choosing Allow publishes all
attempted uses of compromised credentials to Amazon CloudWatch. For more information, see Viewing Advanced Security
Metrics.

You can also choose whether Amazon Cognito checks for compromised credentials during sign-in, sign-up, and password changes.

Which action do you want to take with the compromised credentials?
You can detect and protect your users from using credentials that have been exposed through breaches of other websites. Learn more about compromised credentials protections.
) Allow @) Block use

Blocking use will require users to
jen AWS Cloudwateh.

jerent password. Choosing allow will still log all attempted uses of compromises

Which events should trigger compromised credentials checks?
(MSignin [MSignup {[ Password change

z vent must be selec b

To meet the security requirement of forcing users with compromised credentials to create new passwords, the following two actions need to be taken:

A. Create a User Pool in AWS Cognito: A User Pool is a user directory in AWS Cognito where users can sign up, sign in, and manage their profiles. When a user signs up or signs in, the user pool authenticates the user's credentials and issues JSON web tokens (JWTs) to authorized users. By creating a User Pool, you can enable sign-up and sign-in for users and apply policies such as password strength and expiry rules.

B. Enable "Block use" for compromised credentials in the Advanced Security section: The Advanced Security section in AWS Cognito provides an option to block user accounts in case of any unusual sign-in activity or when a user's credentials are compromised. By enabling this feature, AWS Cognito will monitor user accounts for any unusual activity and automatically block the account if it detects any suspicious behavior.

C. (Incorrect) There is no option for "Block use" for compromised credentials in the Basic Security section. The Basic Security section in AWS Cognito provides a basic level of security for user accounts. It does not provide the option to block user accounts for any unusual activity or when a user's credentials are compromised. Therefore, option C is incorrect.

D. (Incorrect) Verify sign-in operation on Cognito using Secure Remote Password (SRP): Secure Remote Password (SRP) is a cryptographic protocol used for password-based authentication. It is a secure way to protect user credentials from being intercepted during the authentication process. However, this option does not address the requirement of forcing users with compromised credentials to create new passwords. Therefore, option D is incorrect.

In summary, options A and B are correct. To ensure that users with compromised credentials need to use new passwords, create a User Pool in AWS Cognito and enable "Block use" for compromised credentials in the Advanced Security section.