Skip to content

AWS Cognito Refresh Token

Service Name: Amazon Cognito

Service Description: Amazon Cognito is a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their devices. It provides authentication, authorization, and user management for web and mobile applications.

Service Address: https://aws.amazon.com/cognito/

Validation Type: API Auth

IP Allow list: IP restrictions can be implemented through AWS WAF (Web Application Firewall) rules or resource policies, but not directly at the token level.

Secret Access Scope: Grants the ability to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens typically have a longer lifespan than access tokens.

Secret Revokement URL: https://docs.aws.amazon.com/cognito/latest/developerguide/revocation-endpoint.html

Secret Example: eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ...

Suspicious Activity Investigation Instructions:

  • Review AWS CloudTrail logs for unusual authentication events or token usage patterns.
  • Check for unexpected token refresh operations from unfamiliar IP addresses or locations.
  • Monitor for unusual user pool activity or configuration changes.
  • Examine user session patterns for anomalies in login frequency or geographic distribution.
  • Review application logs for unexpected authentication flows or token usage.

Mitigation Instructions:

  • Revoke the compromised refresh token using the AWS Cognito token revocation endpoint.
  • Force sign-out for affected users through the AWS Cognito console or API.
  • Update the affected user's password and enable MFA if not already enabled.
  • Review and update token expiration policies to reduce the valid lifetime of refresh tokens.
  • Implement additional security controls such as IP-based restrictions using AWS WAF.
  • Consider implementing adaptive authentication to detect and respond to suspicious login attempts.
  • Update application code to properly secure tokens and implement token rotation.