STS can be deactivated for all regions except US East. What is the significance of the US East region, that prevents/disallows the deactivation of STS?lg...

I'm following this guide https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-remembered-devices/ to set up remembered devices and I'm doing most things from scratch because there is no Ruby library like Warrant. First off, let me just say the PasswordVerifier formula in this doc is incorrect/lacks information (when calling ConfirmDevice). I had to look at js source code and warrant source code to reverse-engineer what it was actually looking for.  Next for, **Call RespondToAuthChallenge for DEVICE_PASSWORD_VERIFIER** it seems like the forumla given does not work at all. Is there any open source code The formula for S_USER = (SRP_B - k * g^(x))^(a + ux) does not seem to be using modular exponentiation and is returning a number so large, that my code isn't able to deal with it without some extra libraries. That does not seem like it's expected if all the other S values in open source code is using modular exponentiation. **Please provide some client-side code where this final formula for DEVICE_PASSWORD_VERIFIER actually works. There does not seem to be a working example anywhere, and it seems like AWS is just posting incorrect guides.** Edit: I'm looking at the code here to respond to device password verifier and it's completely different from what is described in the blog post: https://github.com/aws/aws-sdk-net-extensions-cognito/blob/e79202c2c622839e36e76659141b329c7a044251/src/Amazon.Extensions.CognitoAuthentication/Util/AuthenticationHelper.cs#L255lg...

I have a Cognito federated identity pool which uses a Cognito User Pool as an authentication provider. I use Amplify Storage API to upload a file to S3 in a bucket. The object key is stored with a prefix of the identity id from the federated identity pool (e.g. eu-west-2:ce19be59-769d-4ca7-8c9b-c99a368666cf) How can I map this to the cognito pool user sub that was used for the authentication? i.e. the user from the linked login cognito-idp.eu-west-2.amazonaws.com/eu-west-2_UbEEmSmxOlg...

I was following the AWS Mobile SDK for .NET and Xamarin guide in the link below to setup our iOS app to Download from an S3 bucket. As a part of the process we have to create a Cognito Identity pool. [https://docs.aws.amazon.com/mobile/sdkforxamarin/developerguide/setup.html]() A customer has informed us that the Cognito Identity pool is not supported in AWS Web Application firewall (WAF), and they would like to know if it's possible to use a User Pool instead which is supported by WAF. Is that possible or is our only option to use a Cognito Identity pool when using the Sdk?lg...

Given the following JWT Payload: ``` { "iss": "https://use.us.auth0.com/", "sub": "auth0|633c9a79c4920862610fa", "aud": "some-aud", "iat": 1664984891, "exp": 1665071291, "azp": "kWfeLjcWoT1ToQKmyYZQft7liE", "scope": "aws:0123456789012" } ``` is a trust policy such as this one not valid? I only want to issue a token if the scope matches ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/user.us.auth0.com/" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "johnnorton.us.auth0.com/:aud": "some-aud", "johnnorton.us.auth0.com/:scope": "aws:0123456789012" } } } ] } ``` However this condition does not seem to be validated. Are all claims available in trust policies?lg...

Hello. I would like to estimate prices for aws security hub, but I have some questions about it: 1. What means Number Of Security Checks per Account?. How can I calculate that number? 2. What means Number Of Finding Ingested per Account? How can I calculate that number? 3. About AWS Config used by Security Hub, how can I calculate the Number of Configuration items recorded and Number of Config rule evaluations? Thank you.lg...

When running the IAM Access Analyzer tool in the AWS console to generate an IAM Policy template for a user or role (based on the activity logged for that entity by the logs of a configured CloudTrail Trail), does the Analyzer consider also any Data Events logged when listing actions in the result policy, or is it only Management Events?lg...

I'm following the instructions to delete a studio, but when I try to delete the 'launch profile' Workstation-Default I get "Delete Failed" any tips on how to delete it? Also, the Streaming session is in "Ending" status after being terminated for too long.lg...

Hi We are using AWS Grafana from our AWS accounts and we see that the current version is 8.4. We know there are more recent Grafana versions available. We have some custom integrations with Grafana via the REST API and we'd like to know what is the AWS process to upgrade Grafana if version, if any, so we can detect in advance any possible change that could impact our integrations. For example, if Grafana is periodically updated, if there are notifications for this, etc. Thanks in advance Luislg...

Hey all, I am trying to setup Remote Desktop Licensing Manager on AWS but i am running into this error with the Manager "The system cannot determine if the license server is member of TSLS group on Active Directory Domain Services (AD DS) because the AD DS cannot be contacted." Now I added the Instanced to the domain and then added the instance to the TSLS group in AD. for whatever reason I am stuck here. All ports are open that are needed. is there something in AWS managed AD that i need to change?lg...

Hi team, I have a Cognito user pool with 3 Groups, I want to create users inside Groups as System Administrators: 1. the system Admin will fill out a form about client's: given name, surname, email address + some custom attributes 2. when sending the form (invitation), my lambda function should create the user inside my Cognito user pool Group with all the above attributes. 3. the client will receive a link via email to validate the invitation 4. when the client clicks the link (custom Domain link), he validates the invitation I created a lambda function that creates the user in the Cognito user pool and then added it inside the group (`using adminCreateUser and adminAddUserToGroup AP calls`) ``` const params = { UserPoolId: USER_POOL_ID, Username: event.email, UserAttributes: [ { Name: "email", Value: event.email, }, { Name: "given_name", Value: event.givenName, }, { Name: "family_name", Value: event.familyName, }, ], }; try { const result = await cognitoIdentityServiceProvider .adminCreateUser(params) .promise(); ``` I also configured the Cognito to send a link email > On "Message customisations" page> "Do you want to customize your email verification messages?" > "Verification type" => I chose "Link" option After lambda has run, the user is created with `Confirmation status = ` **Force change password** and the email I received looks like this : ``` Subject = Your temporary password Body = Your username is myEmail@gmail.com and temporary password is Hc>sP40782HNz%. ``` so I expected to receive a Link and when the client click the link it validate the invitation (point 4 above) then the client becomes validated inside my user pool. But I did not receive a link, how can I achieve points 3 and 4? I just want after creating the user and adding it to a group, to make it valid in Cognito once he clicks the emailed linklg...

I have been battling this for a while. The user must be able to view, edit and create API's. I have tried using the AWS Policy Generator to create the following: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmtxxxxxxxxxxx", "Action": "apigateway:*", "Effect": "Allow", "Resource": "arn:aws:apigateway:us-east/*" } ] } ``` Then when testing the policy, I get that my username does not have apigateway: GET rights. What gives?lg...