使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to identify tls deprecation resource?

0

I received a Security tls deprecation notification on my AWS Health Dashboard.

This is the affected resource but I don't know how to identify it. I am using Lambda & Api Gateway to access Cognito API so I think those should be updated to TLS v1.2 automatically. What should I do to identify it? Thanks

Connections details in the 'Affected resources' tab will be in the following format: Region | Endpoint | API Event Name | TLS Version | Connection Count | UserAgent

us-east-1 | cognito-idp.us-east-1.amazonaws.com | GetUser | TLSv1 | 2 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36

  1. From the UserAgent, that is a connection from a browser?
主題
管理與治理安全性、身分識別與合規物聯網 (IoT)
標籤
AWS HealthAmazon CognitoAmazon Cognito Federated Identities傳輸層安全性 (TLS)
語言
English
rePost-User-230101
已提問 1 年前檢視次數 1028 次
3 個答案
1

Hi,

If I’m not mistaken, you’re environment is something similar to what described in https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html. Maybe not exactly, but I’d say the point is the sources of the calls to cognito-idp (https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html).

As described in the first link “After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request's Authorization header. The API call succeeds only if the required token is supplied and the supplied token is valid, otherwise, the client isn't authorized to make the call because the client did not have credentials that could be authorized.”

Assuming your clients (probably an app) are also making calls to Cognito as part of the workflow, I’d look into it trying to find out if this particular AWS Health Dashboard entry is due to a client not able to use TLS v1.2.

There are some more details in https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/, in particular in the section “What should you do to prepare for this update?” that describes ways to find any connections using TLS 1.0 or 1.1.

AWS
SergioA
已回答 1 年前
0

Yea, I do use AWS Cognito to authorize my users and I use AWS Amplify in frontend to access cognito for signup, signin etc

I have used CloudTrailI to check but I haven't seen any of the similar requests. From the AWS Health Dashboard entry, there are only 2 such requests.

Could be an end-user who tried to use my app was unable to use TLS v1.2?

rePost-User-230101
已回答 1 年前
0

Hi,

It's highly probable it's an end-user using an old TLS version. In addition to the links in the previous message, you can start from https://docs.aws.amazon.com/cognito/latest/developerguide/monitoring.html to configure Amazon Cognito logging and maybe get more information about it, like the IP address. Important to note is that you can use the AWS CloudTrail console to view only the last 90 days of recorded API activity, no entries before 90 days. That's why it is recommended to send the logs to an Amazon S3 bucket, to keep the API activity (logs) as long as you want.

Have a great day!!!

AWS
SergioA
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容