AWS cognito documentation change
Summary
Added documentation links for compromised credentials, adaptive authentication, and threat protection logs. Added detailed IP address allowlist/blocklist configuration guidance.
Security assessment
The changes document security features like IP-based access controls and threat detection mechanisms, but there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md b/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md index ea35c78d9..47ca9e370 100644 --- a//cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md +++ b//cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md @@ -23,0 +24,4 @@ You can choose the user actions that prompt a check for compromised credentials, +###### Learn more + +[Working with compromised-credentials detection](./cognito-user-pool-settings-compromised-credentials.html) + @@ -30,0 +35,4 @@ When you activate threat protection, Amazon Cognito assigns a risk score to user +###### Learn more + +[Working with adaptive authentication](./cognito-user-pool-settings-adaptive-authentication.html) + @@ -35,0 +44,13 @@ With Amazon Cognito threat protection in **Full function** mode, you can create +###### Things to know about IP-address allowlists and blocklists + + * You must express **Always block** and **Always allow** in CIDR format, for example `192.0.2.0/24`, a 24-bit mask, or `192.0.2.252/32`, a single IP address. + + * Devices with IP addresses in an **Always block** IP range can't sign up or sign in with SDK-based or managed login applications, but they can sign in with third-party IdPs. + + * **Always allow** and **Always block** lists don't affect token refresh. + + * Amazon Cognito doesn't apply adaptive authentication MFA rules to devices from an **Always allow** IP range, but does apply compromised-credentials rules. + + + + @@ -40,0 +62,4 @@ Threat protection logs granular details of users' authentication requests to you +###### Learn more + +[Exporting threat protection user activity logs](./exporting-quotas-and-usage.html#exporting-quotas-and-usage-user-activity) +