Our team is implementing a Web Application (ReactJS) that utilizes Amazon Cognito service for user sign-up, log-in, log-out.
However, instead of using Cognito's hosted UIs, we created our own login page and used amazon-cognito-identity-js sdk to implement the authentication functionality.
Now, I need to be able to monitor the user activity (for example, which users logged-in from which location). I understand that this can be done by using Cognito's Advanced Security feature.
I have set the user pool's Advanced Security Setting to "Audit Only". However, there are still no Cognito-related metrics showing up in Cloudwatch.
I also tried to follow the instructions described in below site but to no results.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-advanced-security-app.html
Does anyone have any idea as to what setting I may have missed out?
Any advice is highly appreciated.
Cognito will automatically setup Cloudwatch for your User Pool activity. You just need to go to Cloudwatch > Select "Cognito" from the Services list.
Try to refine the time filter or set the refresh interval to make Cloudwatch regularly fetch the newest metrics.
Hope this answers.
Related
The bounty expires tomorrow. Answers to this question are eligible for a +100 reputation bounty.
micronyks wants to draw more attention to this question:
Help required to know if this use case can be achieved or not with the right direction guidance.
In my react application, once a valid user logs-in to my app, he will be redirected to the dashboard where he can see all the products. If there are 10 products available in AWS-RDS-Mysql-Table called Products-Table, he will see all 10 products.
For this, I'll make a backend API endpoint /products call and it get gets me all products by running a simple sql query : SELECT * FROM Products-Table.
So far so good.
My Current AWS pipeline basic flow: **`ReactApp => (api request comes to) HTTP API gateway => LAMBDA (nodejs) => RDS (mysql)`**
I also have Cognito user pool + Lambda authorizer. I have setup a basic authentication flow using lambda authorizer to check if request is valid or not. All this is working fine.
My Cognito groups & Users.
eg.
AdminGroup:
User1
User2
WorkersGroup:
User3
User4
Currently it doesn't matter If I login with AdminGroup's users or WorkersGroup's users. Every time I see 10 products.
Is the below scenario possible using cognito and AWS IAM roles/policies concept ?
When I login with AdminGroup's users, I should be able to see all the products.
BUT
When I login with WorkersGroup's users, I should be able to see ONLY 5 product (Let's say)
Cognito is providing application level security and does not filter queries, as it doesn't know how. Specifically, Cognito can't answer the question on how to filter Products-Table to the user and/or user group.
This has to be implemented in software, meaning in the LAMBDA (nodejs) part of your application.
AWS has documentation an this: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html among other solutions.
In short:
Configure Cognito User Groups
Configure API Gateway to use Cognito Lambda Authorizer
Configure API Gateway to provide the information to Lambda ("claims")
Program the LAMBDA (nodejs) to retrieve this information and adjust the query as needed for the user/group
I think you have done 1 + 2 already, but are missing 3+4.
We are looking for a way to integrate the AWS Cognito hosted UI with the Amazon Pinpoint for analytics. We have also set up the Pinpoint for Cognito with the corresponding region, but nothing shows up in the dashboard.
There is already an integration present for AWS congnito and Pinpoint.
Although, your question is a little bit vague. Because you have not added other details.
Till which part you are done.
Still, let me add some some steps, let's see if it helps you.
One possible reason could be wrong mapping of regions in aws.
Please use this link to check mapping:
AWS Region mapping for cognito and Pinpoint
Sign in to the Amazon Cognito console
.
In the navigation pane, Manage User Pools, and choose the user pool you want to edit.
Choose the Analytics tab.
Choose Add analytics and campaigns.
Choose a Cognito app client from the list.
To map your Amazon Cognito app to an Amazon Pinpoint project, choose
the Amazon Pinpoint project from the list.
Choose Share user attribute data with Amazon Pinpoint if you want Amazon Cognito to send email addresses and phone numbers to Amazon Pinpoint in order to create additional endpoints for users.
I'm a newer in wso2 and having some confusions regarding subscribers who log into the developer portal for subscribe to APIs. In fact,i created a user with the role internal\subscriber and internal\selfsignup and after logging in with this user, I expected that he could only see the APIs created and subscribed to them with the applications created in the /publisher page, but it seems that this user has the possibility to create these own applications and I do not see how to withdraw these privileges. I want it to use also the apps created in /publisher.
Best regards
The question is a little confusing. Please find the basic ideas of API visibility and API subscription availability below.
You can create applications in the devportal or store portal
You can create APIs in the publisher portal
In general, when you create an API in the publisher portal and publish it without any role visibility restrictions, anyone can view those APIs. To view these publicly available APIs in devportal, you don't even have to log in to the devportal. This is can be viewed in anonymous mode.
In case if you have restricted the API visibility in devportal based on roles, then only the users with the allowed roles can view those APIs.
Similar to API visibility, you also can control the API subscription in the devportal. The subscription availability option will only be displayed if there are tenants in your environment.
Please refer to the official document for more details on this topic.
I am using Cognito for authentication. I am using the default sign-in page application for the end user to login to the application.
I need to log end-user activities related to the sign-in page for auditing purpose. Basically, I need to log when the user signed-up, signed-in, signed out and changed password. I can use triggers "Post Authentication Lambda Trigger" but forgot password and sign out events are missing. Could you please help me on how to achieve this?
AWS Cognito Advanced Security Features provides this functionality. You can find more details here https://aws.amazon.com/blogs/security/how-to-use-new-advanced-security-features-for-amazon-cognito-user-pools/
Advanced Security Features
I already have a heavy user table in an existed website and server doesn't host in AWS.
I wanna use AWS Cognito for a mobile app of this site. So, need to check my server first when login/sign in.
But many blogs and examples look like only for serverless service.
I saw Accessing Server-side Resources after Sign-in. But this access server after getting token.
I saw Adding a User Pool Lambda Trigger. But not sure this can fit with my case.
I know I need to test these things first.
But just I wanna get some advice in here first.
So, Please give me advice.
Thanks.
you can do one thing, you can use cognito in application using aws-sdk which will do signin/singup
add trigger of cognito add save data to dynamo DB table or you can send data your database also.
another case if like you can add trigger, it will check for in both cognito and login your table to having user info and then allow the sign in.
OR
You can import your user data to cognito.