AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2026-05-22 · Documentation medium

File: solutions/latest/distributed-load-testing-on-aws/design-considerations.md

Summary

Added identity provider federation documentation, updated third-party component notes with security references, and added security considerations for HTTP endpoint tests and K6.

Security assessment

The changes add security documentation references for third-party frameworks (JMeter/K6) and include security best practices for identity provider federation. The federation section explicitly warns about unauthorized configuration changes and recommends CloudTrail monitoring, improving security posture documentation without fixing a specific vulnerability.

Diff

diff --git a/solutions/latest/distributed-load-testing-on-aws/design-considerations.md b/solutions/latest/distributed-load-testing-on-aws/design-considerations.md
index 59b4e8657..a68e7fbfd 100644
--- a//solutions/latest/distributed-load-testing-on-aws/design-considerations.md
+++ b//solutions/latest/distributed-load-testing-on-aws/design-considerations.md
@@ -7 +7 @@
-Supported applicationsTest typesScheduling testsConcurrent testsUser managementRegional deployment
+Supported applicationsTest typesScheduling testsConcurrent testsUser managementIdentity provider federationRegional deployment
@@ -20,0 +21,4 @@ Distributed Load Testing on AWS supports multiple test types: simple HTTP endpoi
+###### Note
+
+The solution distributes JMeter, K6, and Locust as third-party components without modification. For security considerations, patching options, and license information, refer to [Third-party testing frameworks](./security-1.html#third-party-testing-frameworks).
+
@@ -24,0 +29,2 @@ The web console provides an HTTP Endpoint Configuration interface that allows yo
+When you configure an HTTP endpoint, the solution converts your configuration into a test plan that is executed by the bundled Apache JMeter binary through the Taurus framework. Simple HTTP Endpoint tests do not accept a test archive, so they cannot override the bundled JMeter binary or plugins. If you need to run HTTP endpoint tests with a patched JMeter, use the JMeter test type instead. For security considerations, refer to [Apache JMeter](./security-1.html#jmeter-security).
+
@@ -47 +53 @@ For more information about how to use JMeter scripts, refer to [JMeter User’s
-The solution supports K6 framework-based testing. K6 is released under the [AGPL-3.0 license](https://github.com/grafana/k6/blob/master/LICENSE.md). The solution displays a license acknowledgment message when creating a new K6 test. You can upload the K6 test file along with any necessary input files in an archive file.
+The solution supports K6 framework-based testing. You can upload the K6 test file along with any necessary input files in an archive file. The web console displays a license acknowledgment message when you create a new K6 test; for license and security details, refer to [Grafana K6](./security-1.html#k6-security).
@@ -98,0 +105,92 @@ For migrating existing users to Amazon Cognito user pools, refer to the AWS blog
+## Identity provider federation
+
+The solution’s Amazon Cognito user pool supports federation with external identity providers (IdPs) using SAML 2.0 or OpenID Connect (OIDC) protocols. Federation allows users to sign in to the web console using their existing corporate or organizational credentials instead of Cognito-native credentials. Federated users receive the same access permissions as users created directly in the Cognito user pool.
+
+The solution already deploys the Cognito user pool, domain, app client, and hosted UI. To enable federation, you only need to register your identity provider and enable it on the existing app client.
+
+If you deploy the optional MCP Server integration, federated users can also access the MCP Server using the same Cognito user pool credentials.
+
+### Prerequisites
+
+Before configuring federation, you need the following:
+
+  * An external identity provider that supports SAML 2.0 or OIDC
+
+  * Admin access to configure the external IdP (to set redirect URIs or ACS URLs)
+
+  * The solution’s Cognito user pool ID (available in the CloudFormation stack resources or the Amazon Cognito console)
+
+  * The solution’s Cognito domain prefix (available in the CloudFormation stack outputs or the Cognito console under **App integration** > **Domain**)
+
+
+
+
+**Step 1: Configure your identity provider**
+
+Configure your external identity provider with the following values so that it can communicate with the solution’s Cognito user pool.
+
+For SAML identity providers:
+
+  * SP entity ID: `urn:amazon:cognito:sp:_<UserPoolId>_`
+
+  * ACS URL: `\https://_< cognito-domain>_.auth._< region>_.amazoncognito.com/saml2/idpresponse`
+
+
+
+
+For OIDC identity providers:
+
+  * Redirect URI: `\https://_< cognito-domain>_.auth._< region>_.amazoncognito.com/oauth2/idpresponse`
+
+
+
+
+For details on what your IdP needs, refer to [Adding SAML identity providers to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html) or [Adding OIDC identity providers to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html) in the _Amazon Cognito Developer Guide_.
+
+**Step 2: Register the identity provider in Cognito**
+
+Add your external identity provider to the solution’s existing Cognito user pool using the Amazon Cognito console.
+
+For step-by-step instructions, refer to [Adding user pool sign-in through a third party](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html) in the _Amazon Cognito Developer Guide_.
+
+**Step 3: Configure attribute mappings**
+
+Configure attribute mappings between your identity provider’s claims and the Cognito user pool attributes. At a minimum, map the user’s email claim from the external provider to the Cognito `email` attribute. Consider also mapping `name` or `nickname` if your identity provider supplies them.
+
+For instructions, refer to [Specifying identity provider attribute mappings for your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html) in the _Amazon Cognito Developer Guide_.
+
+**Step 4: Enable the identity provider on the app client**
+
+In the Amazon Cognito console, find the app client created by the solution and enable your new identity provider under the hosted UI settings.
+
+For instructions, refer to [Configuring a user pool app client](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html) in the _Amazon Cognito Developer Guide_.
+
+###### Note
+
+The solution already configures the app client’s callback and sign-out URLs, OAuth scopes, and hosted UI domain. You do not need to modify these settings — only enable your identity provider on the existing app client.
+
+###### Important
+
+The solution intentionally omits the `SupportedIdentityProviders` property from the CloudFormation app client configuration. This allows you to add identity providers post-deployment without triggering CloudFormation drift detection. If this property were set in the template, any manual IdP changes through the console or CLI would be overwritten on the next stack update, reverting the app client to only the providers listed in the template.
+
+Because this property is omitted, CloudFormation does not track or manage which identity providers are enabled on the app client. After you configure federation, you are responsible for managing the contents of `SupportedIdentityProviders` on the app client. To monitor for unauthorized changes, enable [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) logging and create [Amazon EventBridge rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/aws-events.html) to alert on `CreateIdentityProvider` and `UpdateUserPoolClient` API calls targeting the solution’s Cognito user pool.
+
+###### Note
+
+  * Adding an external identity provider does not remove the ability for existing Cognito-native users to sign in with their current credentials.
+
+  * Federated users are subject to the same regional availability constraints as the Cognito user pool. For more information, refer to Regional deployment.
+
+  * Test federated sign-in with a small group of users before rolling it out to your organization.
+
+
+
+
+### Disabling or deleting the default Cognito user
+
+After configuring federation, you may want to disable or delete the default user that was created during stack deployment. This is optional — the default user continues to work alongside federated sign-in.
+
+To disable a user, navigate to the solution’s Cognito user pool in the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home), select the **Users** tab, choose the user, and select **Disable user access**. To delete a user, you must first disable them, then choose **Delete user**. Disabling a user revokes their tokens and prevents sign-in while preserving the account; deleting permanently removes it.
+
+For more details, refer to [Managing and searching for user accounts](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html) in the _Amazon Cognito Developer Guide_.
+