AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-03 · Documentation low

File: cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md

Summary

Added explicit recommendation to use TLS-encrypted URLs for SAML metadata as a security best practice

Security assessment

The change emphasizes HTTPS usage for SAML metadata hosting as a security best practice but does not indicate resolution of a specific vulnerability. It improves security documentation without referencing a patched issue.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md b/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
index 46af45738..daab2e074 100644
--- a//cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
+++ b//cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
@@ -150 +150 @@ If you see `InvalidParameterException` while creating a SAML IdP with an HTTPS m
-Amazon Cognito only accepts metadata URLs for SAML providers on the standard TCP ports 80 for HTTP and 443 for HTTPS. Enter metadata URLs in the format ``http://www.example.com/saml2/metadata.xml`` or ``https://www.example.com/saml2/metadata.xml``. The Amazon Cognito console accepts metadata URLs only with the `https://` prefix. You can also configure IdP metadata with [CreateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html) and [UpdateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateIdentityProvider.html).
+Amazon Cognito only accepts metadata URLs for SAML providers on the standard TCP ports 80 for HTTP and 443 for HTTPS. As a security best practice, host SAML metadata at a TLS-encrypted URL with the `https://` prefix. Enter metadata URLs in the format ``http://www.example.com/saml2/metadata.xml`` or ``https://www.example.com/saml2/metadata.xml``. The Amazon Cognito console accepts metadata URLs only with the `https://` prefix. You can also configure IdP metadata with [CreateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html) and [UpdateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateIdentityProvider.html).