AWS cognito documentation change
Summary
Expanded documentation on compromised credential checks to include specific user activities (sign-up, sign-in, password reset) and API operations involved in credential validation.
Security assessment
The changes clarify when compromised credential checks occur (e.g., during sign-up, password reset) and specify API operations involved. While this enhances documentation of a security feature (compromised credential detection), there is no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md b/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md index 56c8441b5..4fc15fc44 100644 --- a//cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md +++ b//cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md @@ -7 +7 @@ -Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks _local users_ who sign in with username and password, in managed login and with the Amazon Cognito API. A local user exists exclusively in your user pool directory without federation through an external IdP. +Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks [local users](./cognito-terms.html#terms-localuser) who sign in with username and password, in managed login and with the Amazon Cognito API. @@ -13 +13,11 @@ When you choose **Allow sign-in** , you can review Amazon CloudWatch Logs to mon -###### Note +Compromised credentials can check passwords for the following user activity. + +**Sign-up** + + +Your user pool checks the passwords that users transmit in the [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html) operation and from the sign-up page of managed login for indicators of compromise. + +**Sign-in** + + +Your user pool checks passwords that users submit in password-based sign-in for indicators of compromise. Amazon Cognito can review the `ADMIN_USER_PASSWORD_AUTH` flow in [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), the `USER_PASSWORD_AUTH` flow in [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html), and the `PASSWORD` option of the `USER_AUTH` flow in both. @@ -17 +27,6 @@ Currently, Amazon Cognito doesn't check for compromised credentials for sign-in -Amazon Cognito checks sign-ins that use the [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html) API with `ADMIN_USER_PASSWORD_AUTH` flow, and the [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) API with `USER_PASSWORD_AUTH` flow, for compromised credentials. +**Password reset** + + +Your user pool checks for indicators of compromise in operations that set new user passwords with the [ConfirmForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html) self-service password reset operation. The code that's required for this operation is generated by [ForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html) and [AdminResetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html). + +Compromised credentials doesn't check temporary or permanent administrator-set passwords set with [AdminSetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html). However, with temporary passwords, your user pool checks passwords from responses to the `NEW_PASSWORD_REQUIRED` challenge in [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) and [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html).