By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why isn't TLS 1.2 enforced for Cognito Hosted UI endpoints?

1

We noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI; this is causing issues with compliance and regulations. How can we enforce TLS 1.2 for the Hosted UI? It doesn't appear we have any ability to change this on the backend since Amazon manages the CloudFront distribution as the Alias Target.

Is this Cognito Hosted UI service slated to be enforced on TLS 1.2 this year per blog post: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/?

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon CognitoSecurity
Language
English
Bobby Mack
asked 8 months ago1042 views
1 Answer
0

Hello,

Hope you are safe and doing well.

Thank you contacting us.

I understand that you noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI. Hence you would like to know how can you enforce TLS 1.2 for the Hosted UI?

Currently, Amazon Cognito does not support the feature to suppress TLS 1.0, 1.1 or to enforce the use TLS 1.2. We do have a feature request with our Cognito Service team to allow the configuration of TLS settings on the Cognito Domain. You can track any future releases in Cognito by following product updates on the AWS Blog:

 https://aws.amazon.com/new/
 https://aws.amazon.com/blogs/aws/tag/announcements/

However, there is a possible workaround.

You can create a CloudFront Distribution in your account with the Cognito User Pool as the origin. Your Cognito domain name [1] can be configured as the origin while creating a CloudFront distribution. You can set the minimum SSL protocol for CloudFront to use when it establishes an HTTPS connection to your Cognito origin as per your requirement[2]. CloudFront also supports customizing the TLS version between viewers (clients) and CloudFront. You can also set the minimum TLS version and ciphers that is used to communicate with your CloudFront distribution. Please refer here [3] for more information on supported protocols and ciphers.

I hope above information will be helpful.

Thank you!!

References:

[1]Using the Amazon Cognito Domain for the Hosted UI https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html#cognito-user-pools-assign-domain-prefix-step-1

[2]Requiring HTTPS for communication between CloudFront and your custom origin https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

[3]Supported protocols and ciphers between viewers and CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

AWS
SUPPORT ENGINEER
Saurabh_M
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content