使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Why isn't TLS 1.2 enforced for Cognito Hosted UI endpoints?

1

We noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI; this is causing issues with compliance and regulations. How can we enforce TLS 1.2 for the Hosted UI? It doesn't appear we have any ability to change this on the backend since Amazon manages the CloudFront distribution as the Alias Target.

Is this Cognito Hosted UI service slated to be enforced on TLS 1.2 this year per blog post: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/?

主題
安全性、身分識別與合規AWS Well-Architected Framework
標籤
Amazon Cognito安全性
語言
English
Bobby Mack
已提問 9 個月前檢視次數 1120 次
1 個回答
0

Hello,

Hope you are safe and doing well.

Thank you contacting us.

I understand that you noticed that TLS 1.0 and 1.1 protocols are still available for client connectivity to the Amazon Cognito User Pools when we use a custom domain and the Hosted UI. Hence you would like to know how can you enforce TLS 1.2 for the Hosted UI?

Currently, Amazon Cognito does not support the feature to suppress TLS 1.0, 1.1 or to enforce the use TLS 1.2. We do have a feature request with our Cognito Service team to allow the configuration of TLS settings on the Cognito Domain. You can track any future releases in Cognito by following product updates on the AWS Blog:

 https://aws.amazon.com/new/
 https://aws.amazon.com/blogs/aws/tag/announcements/

However, there is a possible workaround.

You can create a CloudFront Distribution in your account with the Cognito User Pool as the origin. Your Cognito domain name [1] can be configured as the origin while creating a CloudFront distribution. You can set the minimum SSL protocol for CloudFront to use when it establishes an HTTPS connection to your Cognito origin as per your requirement[2]. CloudFront also supports customizing the TLS version between viewers (clients) and CloudFront. You can also set the minimum TLS version and ciphers that is used to communicate with your CloudFront distribution. Please refer here [3] for more information on supported protocols and ciphers.

I hope above information will be helpful.

Thank you!!

References:

[1]Using the Amazon Cognito Domain for the Hosted UI https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html#cognito-user-pools-assign-domain-prefix-step-1

[2]Requiring HTTPS for communication between CloudFront and your custom origin https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

[3]Supported protocols and ciphers between viewers and CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

AWS
支援工程師
Saurabh_M
已回答 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容