使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Why isn't TLS 1.2 enforced for Cognito Hosted UI endpoints?

1

We noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI; this is causing issues with compliance and regulations. How can we enforce TLS 1.2 for the Hosted UI? It doesn't appear we have any ability to change this on the backend since Amazon manages the CloudFront distribution as the Alias Target.

Is this Cognito Hosted UI service slated to be enforced on TLS 1.2 this year per blog post: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/?

主题
安全、身份和合规性AWS 架构完善的框架
标签
Amazon Cognito安全
语言
English
Bobby Mack
已提问 9 个月前1121 查看次数
1 回答
0

Hello,

Hope you are safe and doing well.

Thank you contacting us.

I understand that you noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI. Hence you would like to know how can you enforce TLS 1.2 for the Hosted UI?

Currently, Amazon Cognito does not support the feature to suppress TLS 1.0, 1.1 or to enforce the use TLS 1.2. We do have a feature request with our Cognito Service team to allow the configuration of TLS settings on the Cognito Domain. You can track any future releases in Cognito by following product updates on the AWS Blog:

 https://aws.amazon.com/new/
 https://aws.amazon.com/blogs/aws/tag/announcements/

However, there is a possible workaround.

You can create a CloudFront Distribution in your account with the Cognito User Pool as the origin. Your Cognito domain name [1] can be configured as the origin while creating a CloudFront distribution. You can set the minimum SSL protocol for CloudFront to use when it establishes an HTTPS connection to your Cognito origin as per your requirement[2]. CloudFront also supports customizing the TLS version between viewers (clients) and CloudFront. You can also set the minimum TLS version and ciphers that is used to communicate with your CloudFront distribution. Please refer here [3] for more information on supported protocols and ciphers.

I hope above information will be helpful.

Thank you!!

References:

[1]Using the Amazon Cognito Domain for the Hosted UI https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html#cognito-user-pools-assign-domain-prefix-step-1

[2]Requiring HTTPS for communication between CloudFront and your custom origin https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

[3]Supported protocols and ciphers between viewers and CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

AWS
支持工程师
Saurabh_M
已回答 9 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容