Cognito User Pool for Disaster Recovery

0

Cognito User Pool is a regional service and in case of any problems with the region users cannot authenticate. To mitigate that we can create a copy of the pool in another region and sync data to it (in post confirmation lambda trigger for example). This is not a perfect solution because when application switches to the other region, users would have to reset their passwords. Another problem is with client apps - is there a way to sync those between user pools?

Or is there a better way to implement a resilient authentication mechanism based on Cognito?

질문됨 8달 전877회 조회
1개 답변
1

Currently "password import is not supported, because security best practices require that passwords are not available as plain text, and we don't support importing hashes." "User passwords are not imported when users are backed up to a secondary Region's user pool. Users will need to change their password the first time they sign into the application when it is in failover mode. When the application is switched back to either active or fenced mode, users will need to use their original password or reset it." You can use the Cognito User Profiles Export Reference Architecture to provide resiliency in case of Regional failure or accidental deletion of their users' profiles. The solution does not export sensitive information, such as user passwords. It also does not support user pools with multi-factor authentication (MFA) activated and advanced security features.

You could could do something like what is described in this blog to retain password transparency. The "One-at-a-time user migration" requires the source IDp, in your case the original user pool, to be available, so you would have to set up a mechanism to switch to the failover user pool periodically while the original user pool is available to import users into the failover user pool. This approach does not guarantee that 100% of the users would be able to authenticate without going through the forgotten password flow to set the password in the new system, but it may help you achieve an acceptable threshold.

Here is a post from another contributor that may provide additional information.

Please let me know if this answers your question, or if I should provide clarification.

Thanks, Israel.

AWS
답변함 8달 전
profile picture
전문가
검토됨 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠