AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Why isn't TLS 1.2 enforced for Cognito Hosted UI endpoints?

1

We noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI; this is causing issues with compliance and regulations. How can we enforce TLS 1.2 for the Hosted UI? It doesn't appear we have any ability to change this on the backend since Amazon manages the CloudFront distribution as the Alias Target.

Is this Cognito Hosted UI service slated to be enforced on TLS 1.2 this year per blog post: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/?

주제
보안, 신원 및 규정 준수AWS Well-Architected 프레임워크
태그
아마존 Cognito보안
언어
English
Bobby Mack
질문됨 9달 전1119회 조회
1개 답변
0

Hello,

Hope you are safe and doing well.

Thank you contacting us.

I understand that you noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI. Hence you would like to know how can you enforce TLS 1.2 for the Hosted UI?

Currently, Amazon Cognito does not support the feature to suppress TLS 1.0, 1.1 or to enforce the use TLS 1.2. We do have a feature request with our Cognito Service team to allow the configuration of TLS settings on the Cognito Domain. You can track any future releases in Cognito by following product updates on the AWS Blog:

 https://aws.amazon.com/new/
 https://aws.amazon.com/blogs/aws/tag/announcements/

However, there is a possible workaround.

You can create a CloudFront Distribution in your account with the Cognito User Pool as the origin. Your Cognito domain name [1] can be configured as the origin while creating a CloudFront distribution. You can set the minimum SSL protocol for CloudFront to use when it establishes an HTTPS connection to your Cognito origin as per your requirement[2]. CloudFront also supports customizing the TLS version between viewers (clients) and CloudFront. You can also set the minimum TLS version and ciphers that is used to communicate with your CloudFront distribution. Please refer here [3] for more information on supported protocols and ciphers.

I hope above information will be helpful.

Thank you!!

References:

[1]Using the Amazon Cognito Domain for the Hosted UI https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html#cognito-user-pools-assign-domain-prefix-step-1

[2]Requiring HTTPS for communication between CloudFront and your custom origin https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

[3]Supported protocols and ciphers between viewers and CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

AWS
지원 엔지니어
Saurabh_M
답변함 8달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠