Detecting and remediating inactive user accounts with Amazon Cognito

For companies, significantly these in extremely regulated industries, managing consumer accounts isn’t only a matter of safety but in addition a compliance necessity. In sectors akin to finance, healthcare, and authorities, the place laws typically mandate strict management over consumer entry, disabling stale consumer accounts is a key compliance exercise. On this put up, we present you an answer that makes use of serverless applied sciences to trace and disable inactive consumer accounts. Whereas this course of is especially related for these in regulated industries, it may also be helpful for different organizations trying to preserve a clear and safe consumer base.

The answer focuses on figuring out inactive consumer accounts in Amazon Cognito and mechanically disabling them. Disabling a consumer account in Cognito successfully restricts the consumer’s entry to purposes and companies linked with the Amazon Cognito consumer pool. After their account is disabled, the consumer can not sign up, entry tokens are revoked for his or her account and they’re unable to carry out API operations that require consumer authentication. Nevertheless, the consumer’s knowledge and profile throughout the Cognito consumer pool stay intact. If vital, the account could be re-enabled, permitting the consumer to regain entry and performance.

Whereas the answer focuses on the instance of a single Amazon Cognito consumer pool in a single account, you additionally be taught concerns for multi-user pool and multi-account methods.

Resolution overview

On this part, you learn to configure an AWS Lambda operate that captures the most recent sign-in data of customers authenticated by Amazon Cognito and write this knowledge to an Amazon DynamoDB desk. A time-to-live (TTL) indicator is ready on every of those data based mostly on the consumer inactivity threshold parameter outlined when deploying the answer. This TTL represents the utmost interval a consumer can go with out signing in earlier than their account is disabled. As these things attain their TTL expiry in DynamoDB, a second Lambda operate is invoked to course of the expired gadgets and disable the corresponding consumer accounts in Cognito. For instance, if the consumer inactivity threshold is configured to be 7 days, the accounts of customers who don’t sign up inside 7 days of their final sign-in shall be disabled. Determine 1 reveals an outline of the method.

Observe: This answer capabilities as a background course of and doesn’t disable consumer accounts in actual time. It’s because DynamoDB Time to Reside (TTL) is designed for effectivity and to stay throughout the constraints of the Amazon Cognito quotas. Set your customers’ and directors’ expectations accordingly, acknowledging that there is perhaps a delay within the reflection of modifications and updates.

Determine 1: Structure diagram for monitoring consumer exercise and disabling inactive Amazon Cognito customers

As proven in Determine 1, this course of includes the next steps:

An utility consumer indicators in by authenticating to Amazon Cognito.
Upon profitable consumer authentication, Cognito initiates a put up authentication Lambda set off invoking the PostAuthProcessorLambda operate.
The PostAuthProcessorLambda operate places an merchandise within the LatestPostAuthRecordsDDB DynamoDB desk with the next attributes:

sub: A singular identifier for the authenticated consumer throughout the Amazon Cognito consumer pool.
timestamp: The time of the consumer’s newest sign-in, formatted in UTC ISO normal.
username: The authenticated consumer’s Cognito username.
userpool_id: The identifier of the consumer pool to which the consumer authenticated.
ttl: The TTL worth, in seconds, after which a consumer’s inactivity will provoke account deactivation.

Gadgets within the LatestPostAuthRecordsDDB DynamoDB desk are mechanically purged upon reaching their TTL expiry, launching occasions in DynamoDB Streams.
DynamoDB Streams occasions are filtered to permit invocation of the DDBStreamProcessorLambda operate just for TTL deleted gadgets.
The DDBStreamProcessorLambda operate runs to disable the corresponding consumer accounts in Cognito.

Implementation particulars

On this part, you’re guided by deploying the answer, demonstrating learn how to combine it along with your present Amazon Cognito consumer pool and exploring the answer in additional element.

Observe: This answer begins monitoring consumer exercise from the second of its deployment. It may’t retroactively monitor or handle consumer actions that occurred previous to its implementation. To verify the answer disables presently inactive customers within the first TTL interval after deploying the answer, you need to do a one-time preload of these customers into the DynamoDB desk. If this isn’t finished, the presently inactive customers received’t be detected as a result of customers are detected as they sign up. For a similar cause, customers who create accounts however by no means sign up received’t be detected both. To detect consumer accounts that join however by no means sign up, implement a put up affirmation Lambda set off to invoke a Lambda operate that processes consumer sign-up data and writes them to the DynamoDB desk.

Stipulations

Earlier than deploying this answer, you should have the next conditions in place:

An present Amazon Cognito consumer pool. This consumer pool is the muse upon which the answer operates. In case you don’t have a Cognito consumer pool arrange, you should create one earlier than continuing. See Making a consumer pool.
The power to launch a CloudFormation template. The second prerequisite is the potential to launch an AWS CloudFormation template in your AWS setting. The template provisions the required AWS companies, together with Lambda capabilities, a DynamoDB desk, and AWS Identification and Entry Administration (IAM) roles which are integral to the answer. The template simplifies the deployment course of, permitting you to arrange all the answer with minimal guide configuration. You have to have the required permissions in your AWS account to launch CloudFormation stacks and provision these companies.

To deploy the answer

Select the next Launch Stack button to deploy the answer’s CloudFormation template:

The answer deploys within the AWS US East (N. Virginia) Area (us-east-1) by default. To deploy the answer in a special Area, use the Area selector within the console navigation bar and ensure that the companies required for this walkthrough are supported in your newly chosen Area. For service availability by Area, see AWS Providers by Area.

On the Fast Create Stack display screen, do the next:

Specify the stack particulars.

Stack title: The stack title is an identifier that helps you discover a specific stack from a listing of stacks. A stack title can include solely alphanumeric characters (case delicate) and hyphens. It should begin with an alphabetic character and may’t be longer than 128 characters.
CognitoUserPoolARNs: A comma-separated record of Amazon Cognito consumer pool Amazon Useful resource Names (ARNs) to watch for inactive customers.
UserInactiveThresholdDays: Time (in days) that the consumer account is allowed to be inactive earlier than it’s disabled.

Scroll to the underside, and within the Capabilities part, choose I acknowledge that AWS CloudFormation may create IAM sources with customized names.
Select Create Stack.

Combine along with your present consumer pool

With the CloudFormation template deployed, you possibly can arrange Lambda triggers in your present consumer pool. This can be a key step for monitoring consumer exercise.

Observe: This walkthrough is utilizing the brand new AWS Administration Console expertise. Alternatively, These steps is also finished utilizing CloudFormation.

To combine along with your present consumer pool

Navigate to the Amazon Cognito console and choose your consumer pool.
Navigate to Consumer pool properties.
Below Lambda triggers, select Add Lambda set off. Choose the Authentication radio button, then add a Submit authentication set off and assign the PostAuthProcessorLambda operate.

Observe: Amazon Cognito lets you arrange one Lambda set off per occasion. If you have already got a configured put up authentication Lambda set off, you possibly can refactor the prevailing Lambda operate, including new options immediately to reduce the chilly begins related to invoking further capabilities (for extra data, see Anti-patterns in Lambda-based purposes). Remember the fact that when Cognito calls your Lambda operate, the operate should reply inside 5 seconds. If it doesn’t and if the decision could be retried, Cognito retries the decision. After three unsuccessful makes an attempt, the operate occasions out. You possibly can’t change this 5-second timeout worth.

Determine 2: Add a post-authentication Lambda set off and assign a Lambda operate

Once you add a Lambda set off within the Amazon Cognito console, Cognito provides a resource-based coverage to your operate that allows your consumer pool to invoke the operate. Once you create a Lambda set off exterior of the Cognito console, together with a cross-account operate, you should add permissions to the resource-based coverage of the Lambda operate. Your added permissions should permit Cognito to invoke the operate on behalf of your consumer pool. You possibly can add permissions from the Lambda console or use the Lambda AddPermission API operation. To configure this in CloudFormation, you should use the AWS::Lambda::Permission useful resource.

Discover the answer

The answer ought to now be operational. It’s configured to start monitoring consumer sign-in actions and mechanically disable inactive consumer accounts in keeping with the consumer inactivity threshold. Use the next procedures to check the answer:

Observe: When testing the answer, you possibly can set the UserInactiveThresholdDays CloudFormation parameter to 0. This minimizes the time it takes for consumer accounts to be disabled.

Step 1: Consumer authentication

Create a consumer account (if one doesn’t exist) within the Amazon Cognito consumer pool built-in with the answer.
Authenticate to the Cognito consumer pool built-in with the answer. 

Determine 3: Instance consumer signing in to the Amazon Cognito hosted UI

Step 2: Confirm the sign-in file in DynamoDB

Affirm the sign-in file was efficiently put within the LatestPostAuthRecordsDDB DynamoDB desk.

Navigate to the DynamoDB console.
Choose the LatestPostAuthRecordsDDB desk.
Choose Discover Desk Gadgets.
Find the sign-in file related along with your consumer. 

Determine 4: Finding the sign-in file related to the signed-in consumer

Step 3: Affirm consumer deactivation in Amazon Cognito

After the TTL expires, validate that the consumer account is disabled in Amazon Cognito.

Navigate to the Amazon Cognito console.
Choose the related Cognito consumer pool.
Below Customers, choose the precise consumer.
Confirm the Account standing within the Consumer data part. 

Determine 5: Screenshot of the consumer that signed in with their account standing set to disabled

Observe: TTL usually deletes expired gadgets inside a number of days. Relying on the scale and exercise stage of a desk, the precise delete operation of an expired merchandise can fluctuate. TTL deletes gadgets on a greatest effort foundation, and deletion may take longer in some circumstances.

The consumer’s account is now disabled. A disabled consumer account can’t be used to sign up, however nonetheless seems within the responses to GetUser and ListUsers API requests.

Design concerns

On this part, you dive deeper into the important thing elements of this answer.

DynamoDB schema configuration:

The DynamoDB schema has the Amazon Cognito sub attribute because the partition key. The Cognito sub is a globally distinctive consumer identifier inside Cognito consumer swimming pools that can’t be modified. This configuration ensures every consumer has a single entry within the desk, even when the answer is configured to trace a number of consumer swimming pools. See Different concerns for extra about monitoring a number of consumer swimming pools.

Utilizing DynamoDB Streams and Lambda to disable TTL deleted customers

This answer makes use of DynamoDB TTL and DynamoDB Streams alongside Lambda to course of consumer sign-in data. The TTL function mechanically deletes gadgets previous their expiration time with out write throughput consumption. The deleted gadgets are captured by DynamoDB Streams and processed utilizing Lambda. You additionally apply occasion filtering throughout the Lambda occasion supply mapping, guaranteeing that the DDBStreamProcessorLambda operate is invoked solely for TTL-deleted gadgets (see the next code instance for the JSON filter sample). This strategy reduces invocations of the Lambda capabilities, simplifies code, and reduces total value.

Dealing with API quotas:

The DDBStreamProcessorLambda operate is configured to adjust to the AdminDisableUser API’s quota limits. It processes messages in batches of 25, with a parallelization issue of 1. This makes certain that the answer stays throughout the nonadjustable 25 requests per second (RPS) restrict for AdminDisableUser, avoiding potential API throttling. For extra particulars on these limits, see Quotas in Amazon Cognito.

Lifeless-letter queues:

All through the structure, dead-letter queues (DLQs) are used to deal with message processing failures gracefully. They ensure that unprocessed data aren’t misplaced however as an alternative are queued for additional inspection and retry.

Different concerns

The next concerns are vital for scaling the answer in complicated environments and sustaining its integrity. The power to scale and handle the elevated complexity is essential for profitable adoption of the answer.

Multi-user pool and multi-account deployment

Whereas this answer mentioned a single Amazon Cognito consumer pool in a single AWS account, this answer may operate in environments with a number of consumer swimming pools. This includes deploying the answer and integrating with every consumer pool as described in Integrating along with your present consumer pool. Due to the AdminDisableUser API’s quota restrict for the utmost quantity of requests in a single AWS Area in a single AWS account, contemplate deploying the answer individually in every Area in every AWS account to remain throughout the API limits.

Environment friendly processing with Amazon SQS:

Think about using Amazon Easy Queue Service (Amazon SQS) so as to add a queue between the PostAuthProcessorLambda operate and the LatestPostAuthRecordsDDB DynamoDB desk to optimize processing. This strategy decouples consumer sign-in actions from DynamoDB writes, and permits for batching writes to DynamoDB, decreasing the variety of write requests.

Clear up

Keep away from undesirable fees by cleansing up the sources you’ve created. To decommission the answer, observe these steps:

Take away the Lambda set off from the Amazon Cognito consumer pool:

Navigate to the Amazon Cognito console.
Choose the consumer pool you could have been working with.
Go to the Triggers part throughout the consumer pool settings.
Manually take away the affiliation of the Lambda operate with the consumer pool occasions.

Take away the CloudFormation stack:

Open the CloudFormation console.
Find and choose the CloudFormation stack that was used to deploy the answer.
Delete the stack.
CloudFormation will mechanically take away the sources created by this stack, together with Lambda capabilities, Amazon SQS queues, and DynamoDB tables.

Conclusion

On this put up, we walked you thru an answer to determine and disable stale consumer accounts based mostly on durations of inactivity. Whereas the instance focuses on a single Amazon Cognito consumer pool, the strategy could be tailored for extra complicated environments with a number of consumer swimming pools throughout a number of accounts. For examples of Amazon Cognito architectures, see the AWS Structure Weblog.

Correct planning is important for seamless integration along with your present infrastructure. Fastidiously contemplate elements akin to your safety setting, compliance wants, and consumer pool configurations. You possibly can modify this answer to fit your particular use case.

Sustaining clear and lively consumer swimming pools is an ongoing journey. Proceed monitoring your methods, optimizing configurations, and protecting up-to-date on new options. Mixed with well-architected preventive measures, automated consumer administration methods present robust defenses on your purposes and knowledge.

For additional studying, see the AWS Nicely-Architected Safety Pillar and extra posts like this one on the AWS Safety Weblog.

When you’ve got suggestions about this put up, submit feedback within the Feedback part. When you’ve got questions on this put up, begin a brand new thread on the Amazon Cognito re:Submit discussion board or contact AWS Assist.

Harun Abdi

Harun is a Startup Options Architect based mostly in Toronto, Canada. Harun loves working with clients throughout completely different sectors, supporting them to architect dependable and scalable options. In his spare time, he enjoys enjoying soccer and spending time with family and friends.

Dylan Souvage

Dylan is a Associate Options Architect based mostly in Austin, Texas. Dylan loves working with clients to know their enterprise wants and allow them of their cloud journey. In his spare time, he enjoys going out in nature and happening lengthy street journeys.