Skip to content

AWS Cognito

The displayed metrics of AWS Cognito include the number of user pools, user login requests, user registrations, restricted user login requests, token refresh counts, etc.

Configuration

Install Func

It is recommended to activate the TrueWatch integration - Extensions - DataFlux Func (Automata): all prerequisites are automatically installed, please proceed with the script installation.

If you are deploying Func manually, refer to Deploy Func Manually

Install Script

Note: Please prepare the required Amazon AK in advance (for simplicity, you can directly grant global read-only permissions ReadOnlyAccess)

Managed Version Activation Script

  1. Log in to the TrueWatch console
  2. Click on the 【Integrations】 menu, select 【Cloud Account Management】
  3. Click on 【Add Cloud Account】, select 【AWS】, and fill in the required information on the interface. If you have already configured the cloud account information before, ignore this step.
  4. Click on 【Test】, and if the test is successful, click on 【Save】. If the test fails, please check if the relevant configuration information is correct and retest.
  5. Click on 【Cloud Account Management】 list to see the added cloud account, click on the corresponding cloud account to enter the details page.
  6. Click on the 【Integrations】 button on the cloud account details page, find AWS Cognito under the Not Installed list, and click on the 【Install】 button to pop up the installation interface for installation.

Manual Activation Script

  1. Log in to the Func console, click on 【Script Market】, enter the TrueWatch script market, and search for integration_aws_cognito.

  2. Click on 【Install】, then enter the corresponding parameters: AWS AK ID, AK Secret, and account name.

  3. Click on 【Deploy Startup Script】, the system will automatically create the Startup script set and configure the corresponding startup scripts.

  4. After enabling, you can see the corresponding automatic trigger configuration in 「Management / Automatic Trigger Configuration」. Click on 【Execute】 to immediately execute it once without waiting for the scheduled time. After a while, you can view the execution task records and corresponding logs.

Verification

  1. Confirm in 「Management / Automatic Trigger Configuration」 whether the corresponding task has the corresponding automatic trigger configuration, and you can also check the corresponding task records and logs to see if there are any exceptions.
  2. In TrueWatch, check in 「Infrastructure / Custom」 to see if there is asset information.
  3. In TrueWatch, check in 「Metrics」 to see if there is corresponding monitoring data.

Metrics

After configuring Amazon CloudWatch, the default measurement is as follows. More metrics can be collected through configuration:

Amazon CloudWatch AWS Cognito Metrics Details

Metric Name Description Unit Metric Dimensions
SignUpSuccesses Provides the total number of successful user registration requests made to an Amazon Cognito user pool. A successful user registration request produces a value of 1, while an unsuccessful request produces a value of 0. Restricted requests are also considered unsuccessful requests, so a restricted request will also produce a count of 0. To find the percentage of successful user registration requests, use the Average statistic for this metric. To calculate the total number of user registration requests, use the Sample Count statistic for this metric. To calculate the total number of successful user registration requests, use the Sum statistic for this metric. To calculate the total number of failed user registration requests, use a CloudWatch Math expression and subtract the Sample Count statistic from the Sum statistic. This metric is published for each user pool client of the user pool. If the user registration is performed by an administrator, the metric is published with the user pool client as Admin. Note that this metric is not issued for user import and user migration cases. Count UserPool、UserPoolClient
SignUpThrottles Provides the total number of successful user authentication requests made to an Amazon Cognito user pool. A user authentication is considered successful when an authentication token is issued to the user. A successful authentication produces a value of 1, while an unsuccessful request produces a value of 0. Restricted requests are also considered unsuccessful requests, so a restricted request will also produce a count of 0. To find the percentage of successful user authentication requests, use the Average statistic for this metric. To calculate the total number of user authentication requests, use the Sample Count statistic for this metric. To calculate the total number of successful user authentication requests, use the Sum statistic for this metric. To calculate the total number of failed user authentication requests, use a CloudWatch Math expression and subtract the Sample Count statistic from the Sum statistic. This metric is published for each client of each user pool. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain the fixed value Invalid instead of the actual invalid value sent in the request. Note that Amazon Cognito token refresh requests are not included in this metric. There is a separate metric for providing Refresh token statistics. Count UserPool、UserPoolClient
SignInSuccesses Provides the total number of restricted user authentication requests made to an Amazon Cognito user pool. When an authentication request is restricted, a count of 1 is published. To calculate the total number of restricted user authentication requests, use the Sum statistic for this metric. This metric is published for each client of each user pool. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain the fixed value Invalid instead of the actual invalid value sent in the request. Amazon Cognito token refresh requests are not included in this metric. There is a separate metric for providing Refresh token statistics. Count Sum
SignInThrottles Provides the total number of restricted user authentication requests made to an Amazon Cognito user pool. When an authentication request is restricted, a count of 1 is published. To calculate the total number of restricted user authentication requests, use the Sum statistic for this metric. This metric is published for each client of each user pool. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain the fixed value Invalid instead of the actual invalid value sent in the request. Amazon Cognito token refresh requests are not included in this metric. There is a separate metric for providing Refresh token statistics. Count UserPool、UserPoolClient
TokenRefreshSuccesses Provides the total number of successful Amazon Cognito token refresh requests made to an Amazon Cognito user pool. A successful Amazon Cognito token refresh request produces a value of 1, while an unsuccessful request produces a value of 0. Restricted requests are also considered unsuccessful requests, so a restricted request will also produce a count of 0. To find the percentage of successful Amazon Cognito token refresh requests, use the Average statistic for this metric. To calculate the total number of Amazon Cognito token refresh requests, use the Sample Count statistic for this metric. To calculate the total number of successful Amazon Cognito token refresh requests, use the Sum statistic for this metric. To calculate the total number of failed Amazon Cognito token refresh requests, use a CloudWatch Math expression and subtract the Sample Count statistic from the Sum statistic. This metric is published for each user pool client. If an invalid user pool client is provided in the request, the user pool client value contains the fixed value Invalid. Count UserPool、UserPoolClient
TokenRefreshThrottles Provides the total number of restricted Amazon Cognito token refresh requests made to an Amazon Cognito user pool. When an Amazon Cognito token refresh request is restricted, a count of 1 is published. To calculate the total number of restricted Amazon Cognito token refresh requests, use the Sum statistic for this metric. This metric is published for each client of each user pool. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain the fixed value Invalid instead of the actual invalid value sent in the request. Bytes UserPool、UserPoolClient
FederationSuccesses Provides the total number of successful federation authentication requests made to an Amazon Cognito user pool. A federation authentication is considered successful when Amazon Cognito issues an authentication token to the user. A successful federation authentication request produces a value of 1, while an unsuccessful request produces a value of 0. Throttled requests and requests that generate an authorization code but no token produce a value of 0. To find the percentage of successful federation authentication requests, use the Average statistic for this metric. To calculate the total number of federation authentication requests, use the Sample Count statistic for this metric. To calculate the total number of successful federation authentication requests, use the Sum statistic for this metric. To calculate the total number of failed federation authentication requests, use a CloudWatch Math expression and subtract the Sample Count statistic from the Sum statistic. Count UserPool、UserPoolClient、IdentityProvider
FederationThrottles Provides the total number of restricted federation authentication requests made to an Amazon Cognito user pool. When a federation authentication request is restricted, a count of 1 is published. To calculate the total number of restricted federation authentication requests, use the Sum statistic for this metric. Count UserPool、UserPoolClient、IdentityProvider
CallCount Provides the total number of calls made by the customer related to the category. This metric includes all calls, such as restricted calls, failed calls, and successful calls. Each AWS account must use the category quota across all user pools in the account and region. You can use the Sum statistic for this metric to calculate the total number of calls. Count Service、Type、Resource、Class
ThrottleCount Provides the total number of restricted calls related to the category. This metric is published at the account level. You can use the Sum statistic for this metric to calculate the total number of calls in a category. Count Service、Type、Resource、Class

View Threat Protection Metrics

Metric Name Description Metric Dimensions Namespace
CompromisedCredentialRisk Requests in which Amazon Cognito detected compromised credentials
  • Operation:Operation type (PasswordChange, SignIn, or SignUp)
  • UserPoolId:Identifier of the user pool
  • RiskLevel:High (default), Medium, or Low
 AWS/Cognito
AccountTakeoverRisk Requests in which Amazon Cognito detected account takeover risk
  • Operation:Operation type (PasswordChange, SignIn, or SignUp)
  • UserPoolId:Identifier of the user pool
  • RiskLevel: High, Medium, or Low
 AWS/Cognito
OverrideBlock Requests blocked by Amazon Cognito due to developer-provided configurations
  • Operation:Operation type (PasswordChange, SignIn, or SignUp)
  • UserPoolId:Identifier of the user pool
  • RiskLevel: High, Medium, or Low
 AWS/Cognito
Risk Requests flagged as risky by Amazon Cognito
  • Operation:Operation type (PasswordChange, SignIn, or SignUp)
  • UserPoolId:Identifier of the user pool
 AWS/Cognito
NoRisk Requests in which Amazon Cognito did not identify any risk
  • Operation:Operation type (PasswordChange, SignIn, or SignUp)
  • UserPoolId:Identifier of the user pool
 AWS/Cognito