We use Cognito as IDP. Currently password length policy is set to 6 and we has been asked to change it to 10.
If we do this change on Cognito, will it impact existing users. If 'yes' - how?
Related
I am new to AWS Cognito. Based on description, Userpool is used for authentication. If I am a user in the userpool, I can use this user name and password to authenticate my identity. Why do I need to add App to userpool?
Thanks for help in advance,
AWS Cognito allows you to create a number of apps to integrate with your user pool. On each app, you can custom the Authentication flow, Access/Refresh token expiration, attribute read and write permissions, hostUI...
Use case: you use the same user pool for both apps but there are some custom like:
App A: just allow authentication via the ALLOW_USER_PASSWORD_AUTH and access token expiration is 5 minutes.
App B: just allow authentication via the ALLOW_USER_SRP_AUTH and access token expiration is 30 minutes.
Hope that's clear.
I want to restrict access to an AWS S3 bucket so that new objects can only be created by users who have authenticated through a specific Cognito User Pool. Looking through the AWS documentation I can't work out how to specify the user pool as a principal in the policy. Can anyone help me with this?
If this isn't possible then I'd appreciate some pointers/guidance which might help me achieve the desired result using some other technique. Thanks.
I think a User Pool will not allow you to do this, seen as you only get an access token for an authenticated entity. You'll probably need to create an identity pool, which allows users in your user pool to retrieve temporary IAM credentials. In the identity pool, you can also configure the role these logged in users get with their temporary credentials. You can use these roles to restrict access to the S3 bucket to only those authenticated users.
In the example below, you can see the settings of an identity pool configured with a Cognito user pool as authentication provider. It will either use the default roles configured on top (big red rectangle) or you can choose a custom role for the Cognito authentication provider (small rectangle). All roles can be managed using IAM.
Is there a way to enforce password expiration policy on users in Amazon Cognito user pools?
It doesn't look like expiration is built into the password policy. You could track password expiration by adding a passwordUpdatedAt field and manually updating that attribute on user sign up and on changePassword. Then you could schedule something that queries users with expired passwords and call AdminResetUserPassword for those users. It would be somewhat more reliable if AWS published Cognito Userpoool User events like changePassword or just baked it into the service.
Can I, as an admin, get a user password (which is currently is use) within Cognito? Either through AWS CLI or its Java API?
No, this is not currently possible.
I'm using AWS Cognito for user authentication.
The users who are logged in through Facebook/ google+ are listed in federated identity pool where as the users who are logged in through custom sign up process are listed in cognito user pool.
So, how can we manage both the list of users? Is there any way to access and manage both the list of users in a single application.
The only way to do this is to have your User Pools pool configured as a provider for your identity pool. Once that's configured, those identities should automatically show up as identities inside the identity pool with user pools as a linked login, and will be included in the ListIdentities results. See the Cognito developer guide for specifics on how to link the two, if you are unsure of how to do so.
I'm unsure from your question if you are integrating them already, but if not, Cognito does not currently support a way to list both sets of users.