AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-16 · Documentation medium

File: cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md

Summary

Added documentation links for compromised credentials, adaptive authentication, and threat protection logs. Added detailed IP address allowlist/blocklist configuration guidance.

Security assessment

The changes document security features like IP-based access controls and threat detection mechanisms, but there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md b/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md
index ea35c78d9..47ca9e370 100644
--- a//cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md
+++ b//cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.md
@@ -23,0 +24,4 @@ You can choose the user actions that prompt a check for compromised credentials,
+###### Learn more
+
+[Working with compromised-credentials detection](./cognito-user-pool-settings-compromised-credentials.html)
+
@@ -30,0 +35,4 @@ When you activate threat protection, Amazon Cognito assigns a risk score to user
+###### Learn more
+
+[Working with adaptive authentication](./cognito-user-pool-settings-adaptive-authentication.html)
+
@@ -35,0 +44,13 @@ With Amazon Cognito threat protection in **Full function** mode, you can create
+###### Things to know about IP-address allowlists and blocklists
+
+  * You must express **Always block** and **Always allow** in CIDR format, for example `192.0.2.0/24`, a 24-bit mask, or `192.0.2.252/32`, a single IP address.
+
+  * Devices with IP addresses in an **Always block** IP range can't sign up or sign in with SDK-based or managed login applications, but they can sign in with third-party IdPs. 
+
+  * **Always allow** and **Always block** lists don't affect token refresh.
+
+  * Amazon Cognito doesn't apply adaptive authentication MFA rules to devices from an **Always allow** IP range, but does apply compromised-credentials rules.
+
+
+
+
@@ -40,0 +62,4 @@ Threat protection logs granular details of users' authentication requests to you
+###### Learn more
+
+[Exporting threat protection user activity logs](./exporting-quotas-and-usage.html#exporting-quotas-and-usage-user-activity)
+