- Newest
- Most votes
- Most comments
Currently "password import is not supported, because security best practices require that passwords are not available as plain text, and we don't support importing hashes." "User passwords are not imported when users are backed up to a secondary Region's user pool. Users will need to change their password the first time they sign into the application when it is in failover mode. When the application is switched back to either active or fenced mode, users will need to use their original password or reset it." You can use the Cognito User Profiles Export Reference Architecture to provide resiliency in case of Regional failure or accidental deletion of their users' profiles. The solution does not export sensitive information, such as user passwords. It also does not support user pools with multi-factor authentication (MFA) activated and advanced security features.
You could could do something like what is described in this blog to retain password transparency. The "One-at-a-time user migration" requires the source IDp, in your case the original user pool, to be available, so you would have to set up a mechanism to switch to the failover user pool periodically while the original user pool is available to import users into the failover user pool. This approach does not guarantee that 100% of the users would be able to authenticate without going through the forgotten password flow to set the password in the new system, but it may help you achieve an acceptable threshold.
Here is a post from another contributor that may provide additional information.
Please let me know if this answers your question, or if I should provide clarification.
Thanks, Israel.
Relevant content
- asked 9 months ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago