I turn on Audit Mode for AWS Cognito to enable Advanced Security Features, as stated here AWS docs:
After that, under User Pools-Users and Groups-User section, there are the Last 100 Authentication Events for each user
I want to re-record this information to a specific log group: auth-audit-log-group and log stream: user-{userId} in CloudWatch Logs. Reason: CloudWatch allows query based on timestamp. What is the best way to do that?
Pr: I look at postAuthentication and postConfirmation triggers but they cannot capture failed sign-up and sign-in.
Related
I set up my Cognito UserPool as UserPoolOnly at creation a few months back, before my team considered that we would possibly need an Identity Pool later on for gathering user data. This was set up from an existing user base, so it was configured as an imported User Pool.
We now have hundreds of active users and I am trying to add Amazon Pinpoint to gather user session data to improve our UX, but am getting the following error because I don't have an identity pool in our Amplify project
Error: Current auth configuration is: userPoolOnly, but identityPoolOnly was required.
Auth configuration is required to allow unauthenticated users, but it is not configured properly.
I tried creating a new identity pool, basing it off the Cognito UserPool and adding the same app id and federated identity app ids to "attach" it, but this does not change the error after running amplify pull - I think because it is still not associated with Amplify.
When running amplify update auth I get the error Updating imported Auth resource is not supported.
How can I fix the issue of not having an identity pool associated with my Amplify project but needing it for Pinpoint?
Note:
Trying to use Kinesis Streams instead of Pinpoint gives the same Error about identityPoolOnly being required
I am pretty sure I saw somewhere in AWS console which can help me increase the session expiration time of logged in user but I cannot find it ... screenshot or guide appreciated
Token expiration is configured for each App client. Go to your user pool -> App Clients -> Choose a specific app client. Like this:
if this is what you need.
How can I disable the User from Amazon Cognito User Pool using API ?
I tried to check the API from Amazon and couldn't find one.
Thanks.
There is a specific command for disabling user, please see API reference - API_AdminDisableUser
It looks like it is supported here, https://docs.amplify.aws/cli/auth/admin#admin-queries-api
I'm trying to add programmatically a "working" AWS account via API.
Actually I'm performing this operations:
Authentication
CreateUser (login)
CreateLoginProfile (password)
When I go on "AWS" console I get an error an if I look to the Accounts linked to the Organization I can't find my new account.
But if I go on https://console.aws.amazon.com/iam/home#/home the user is there.
Do I'm missing something? Is there any difference between USER and ACCOUNT?
Of course USER and ACCOUNT are different. An account contains users and other resources (S3 bucket, EC2 instance).
If you want to create new AWS account, you need to use Organizations API.
See:
create-account in the AWS CLI
CreateAccount documentation
I got 4 aws accounts, and i want to centralise all my logs into a single accounts for security purposes.
Meaning collect cloudwatch logs from account prod, dev and perf into an account called logs. Ideally they would end up in cloudwatch in the accounts logs, so i can process them easily with ELK.
I read about it here:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html
But i can't find a tutorial on how to set up simply the whole stack.
Any suggestions would be appreciated.
The only thing different about using CloudWatch Logs in another account is the credentials you'll need to use.
I would do it like this; in your logs account, create 3 IAM users:
prod
dev
perf
Give each of the users the necessary IAM permissions to write logs to CloudWatch logs. Also, create a set of AWS credentials for the 3 users which you will use to authenticate with.
Then in your application, depending on what stack your in, configure your code to use the relevant credentials (i.e. Dev, Prod) to write to CloudWatch logs. The only difference should be wherever in your code you create the CloudWatch logs client. You should pass the client the credentials for the relevant IAM user from your "Logs" account.
EDIT:
If you're using the CloudWatch Logs client, the idea is the same. You create the users and instead just give the client the relevant AWS credentials. You specify the creds for the user from your logs account in the /etc/awslogs/awslogs.conf. The credentials you use is what will send your logs to CloudWatch in the other account. The process you need to follow is basically documented in the AWS docs