Cognito User Pool for Disaster Recovery


Cognito User Pool is a regional service and in case of any problems with the region users cannot authenticate. To mitigate that we can create a copy of the pool in another region and sync data to it (in post confirmation lambda trigger for example). This is not a perfect solution because when application switches to the other region, users would have to reset their passwords. Another problem is with client apps - is there a way to sync those between user pools?

Or is there a better way to implement a resilient authentication mechanism based on Cognito?

asked 15 days ago75 views
1 Answer

Currently "password import is not supported, because security best practices require that passwords are not available as plain text, and we don't support importing hashes." "User passwords are not imported when users are backed up to a secondary Region's user pool. Users will need to change their password the first time they sign into the application when it is in failover mode. When the application is switched back to either active or fenced mode, users will need to use their original password or reset it." You can use the Cognito User Profiles Export Reference Architecture to provide resiliency in case of Regional failure or accidental deletion of their users' profiles. The solution does not export sensitive information, such as user passwords. It also does not support user pools with multi-factor authentication (MFA) activated and advanced security features.

You could could do something like what is described in this blog to retain password transparency. The "One-at-a-time user migration" requires the source IDp, in your case the original user pool, to be available, so you would have to set up a mechanism to switch to the failover user pool periodically while the original user pool is available to import users into the failover user pool. This approach does not guarantee that 100% of the users would be able to authenticate without going through the forgotten password flow to set the password in the new system, but it may help you achieve an acceptable threshold.

Here is a post from another contributor that may provide additional information.

Please let me know if this answers your question, or if I should provide clarification.

Thanks, Israel.

answered 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions