AWS cognito medium security documentation change
Summary
Added detailed documentation about enabling, disabling, and deleting user accounts including console/API procedures and security implications of account state changes
Security assessment
The change explicitly documents security controls like token revocation upon account disablement, prevention of sign-in attempts for disabled accounts, and administrator-only access to enable/disable operations. This directly relates to access control and session management security mechanisms.
Diff
diff --git a/cognito/latest/developerguide/how-to-manage-user-accounts.md b/cognito/latest/developerguide/how-to-manage-user-accounts.md index 1124c986b..64a1f9afb 100644 --- a//cognito/latest/developerguide/how-to-manage-user-accounts.md +++ b//cognito/latest/developerguide/how-to-manage-user-accounts.md @@ -5 +5 @@ -Viewing user attributesResetting a user's passwordSearching user attributesSearching for users with the AWS Management ConsoleSearching for users with the ListUsers APIExamples of using the ListUsers API +Viewing user attributesResetting a user's passwordEnable, disable, and delete user accountsSearching user attributesSearching for users with the AWS Management ConsoleSearching for users with the ListUsers APIExamples of using the ListUsers API @@ -54,0 +55,118 @@ This action immediately results in a confirmation code being sent to the user an +## Enable, disable, and delete user accounts + +You can delete unused user profiles or, if you want to temporarily prevent access, disable them. Users can delete their own accounts, but only user pool administrators can enable and disable user accounts. + +###### Effect of deletion + +Users can't sign in with deleted user accounts and to regain access, must sign up or be created again. + +###### Effect of disabling accounts + +When you disable a user account, Amazon Cognito automatically invalidates all authenticated sessions, deactivates the user account for sign-in, and [revokes their access and refresh tokens](./token-revocation.html). Amazon Cognito returns an `invalid_request` error with the message `User is not enabled` when a user tries to sign in to an account that you disabled. This behavior doesn't change with your [user existence disclosure settings](./cognito-user-pool-managing-errors.html) for the app client. You can disable local user accounts and the local profiles of federated user accounts. When users sign in with managed login or the classic hosted UI, then you disable their account, and then they try to sign in again with the the browser cookie that maintains their authenticated session, Amazon Cognito redirects them to the login page. + +###### Effect of enabling accounts + +Users can immediately sign in to accounts after you enable them. User accounts are enabled by default. Users' attributes and passwords remain the same as before their account was disabled. Tokens that your application revoked, whether you disabled the user account or separately revoked the refresh token, remain non-valid after you enable the user account that owned the token. + +Delete a user account (console) + + +###### To delete a user account + + 1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials. + + 2. Choose **User Pools**. + + 3. Choose an existing user pool from the list. + + 4. Choose the **Users** menu and select the radio button next to the username of a user in the list. + + 5. Choose **Delete**. + + 6. Choose **Disable user access**. + + 7. Choose **Delete**. + + + + +Delete a user account (API) + + +Users can delete their accounts with the self-service access-token-authorized [DeleteUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteUser.html) API operation. The following is an exanple `DeleteUser` request body. + + + { + "AccessToken": "eyJra456defEXAMPLE" + } + +Administrators can delete user accounts with the IAM-authorized [AdminDeleteUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDeleteUser.html) API operation. The following is an exanple `AdminDeleteUser` request body. + + + { + "Username": "testuser", + "UserPoolId": "us-west-2_EXAMPLE" + } + +Disable a user account (console) + + +###### To disable a user account + + 1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials. + + 2. Choose **User Pools**. + + 3. Choose an existing user pool from the list. + + 4. Choose the **Users** menu and select the username of a user in the list. + + 5. On the user details page, choose **Actions** , **Disable user access**. + + 6. In the dialog that this creates, choose **Disable**. + + + + +Disable a user account (API) + + +Administrators can disable user accounts with the IAM-authorized [AdminDisableUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDisableUser.html) API operation. The following is an exanple `AdminDisableUser` request body. + + + { + "Username": "testuser", + "UserPoolId": "us-west-2_EXAMPLE" + } + +Enable a user account (console) + + +###### To enable a user account + + 1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials. + + 2. Choose **User Pools**. + + 3. Choose an existing user pool from the list. + + 4. Choose the **Users** menu and select the username of a user in the list. + + 5. On the user details page, choose **Actions** , **Enable user access**. + + 6. In the dialog that this creates, choose **Enable**. + + + + +Enable a user account (API) + + +Administrators can enable user accounts with the IAM-authorized [AdminEnableUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminEnableUser.html) API operation. The following is an exanple `AdminEnableUser` request body. + + + { + "Username": "testuser", + "UserPoolId": "us-west-2_EXAMPLE" + } +