Skip to content

AWS Cognito

The displayed Metrics of AWS Cognito include the number of user pools, the number of user login requests, the number of user registrations, the number of restricted user login requests, the number of token refreshes, etc.

Configuration

Install Func

It is recommended to enable Guance Integration - Extension - DataFlux Func (Automata): All prerequisites are automatically installed. Please continue with the script installation.

If you deploy Func on your own, refer to Self-deployed Func

Installation Script

Note: Please prepare the required Amazon AK in advance (for simplicity, you can directly grant global read-only permission ReadOnlyAccess)

Managed Version Activation Script

  1. Log in to the Guance console.
  2. Click on the 【Integration】 menu and select 【Cloud Account Management】.
  3. Click 【Add Cloud Account】, select 【AWS】, and fill in the required information on the interface; if cloud account information has been configured before, ignore this step.
  4. Click 【Test】. After a successful test, click 【Save】. If the test fails, check whether the relevant configuration information is correct and retest.
  5. In the 【Cloud Account Management】 list, you can see the added cloud account. Click the corresponding cloud account to enter the details page.
  6. Click the 【Integration】 button on the cloud account details page. In the Not Installed list, find AWS Cognito, click the 【Install】 button, and install it from the pop-up installation interface.

Manual Activation Script

  1. Log in to the Func console, click 【Script Market】, enter the official script market, and search for guance_aws_cognito.

  2. After clicking 【Install】, input the corresponding parameters: AWS AK ID, AK Secret, and account name.

  3. Click 【Deploy Startup Script】, and the system will automatically create a Startup script set and configure the corresponding startup script automatically.

  4. After enabling, you can see the corresponding automatic trigger configuration in 「Manage / Automatic Trigger Configuration」. Click 【Execute】 to run it immediately without waiting for the scheduled time. After a short wait, you can view the execution task records and corresponding logs.

We default to collecting some configurations, see the Metrics section for details.

Verification

  1. Confirm in 「Manage / Automatic Trigger Configuration」 that the corresponding tasks have corresponding automatic trigger configurations, and at the same time, you can check the corresponding task records and logs to ensure there are no abnormalities.
  2. In Guance, under 「Infrastructure / Custom」, check if asset information exists.
  3. In Guance, under 「Metrics」, check if there are corresponding monitoring data.

Metrics

After configuring Amazon-CloudWatch, the default Measurement set is as follows. You can collect more Metrics through configuration:

Amazon CloudWatch AWS Cognito Metrics Details

Metric Name Description Unit Metric Dimensions
SignUpSuccesses Provides the total number of successful user registration requests sent to Amazon Cognito user pools. A successful user registration request generates a value of 1, while an unsuccessful request generates a value of 0. Restricted requests are also considered unsuccessful, so a restricted request will also produce a count of 0. To find the percentage of successful user registration requests, use the Average statistics for this metric. To calculate the total number of user registration requests, use the Sample Count statistics for this metric. To calculate the total number of successful user registration requests, use the Sum statistics for this metric. To calculate the total number of failed user registration requests, use CloudWatch Math expressions and subtract the Sample Count data from the Sum statistics data. This metric is published for each user pool client. If user registration is performed by an administrator, the metric is published with Admin identity along with the user pool client. Note that this metric is not issued for user import and user migration cases. Count UserPool, UserPoolClient
SignUpThrottles Provides the total number of successful user authentication requests sent to Amazon Cognito user pools. User authentication is considered successful when an authentication token is issued to the user. A successful authentication generates a value of 1, while an unsuccessful request generates a value of 0. Restricted requests are also considered unsuccessful, so a restricted request will also produce a count of 0. To find the percentage of successful user authentication requests, use the Average statistics for this metric. To calculate the total number of user authentication requests, use the Sample Count statistics for this metric. To calculate the total number of successful user authentication requests, use the Sum statistics for this metric. To calculate the total number of failed user authentication requests, use CloudWatch Math expressions and subtract the Sample Count data from the Sum statistics data. This metric is published for each user pool client. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain a fixed value Invalid instead of the actual invalid value sent in the request. Note that Amazon Cognito token refresh requests are not included in this metric. There is a separate metric that provides Refresh token statistics. Count UserPool, UserPoolClient
SignInSuccesses Provides the total number of restricted user authentication requests sent to Amazon Cognito user pools. When an authentication request is restricted, a count of 1 is published. To calculate the total number of restricted user authentication requests, use the Sum statistics for this metric. This metric is published for each user pool client. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain a fixed value Invalid instead of the actual invalid value sent in the request. Amazon Cognito token refresh requests are not included in this metric. There is a separate metric that provides Refresh token statistics. Count Sum
SignInThrottles Provides the total number of restricted user authentication requests sent to Amazon Cognito user pools. When an authentication request is restricted, a count of 1 is published. To calculate the total number of restricted user authentication requests, use the Sum statistics for this metric. This metric is published for each user pool client. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain a fixed value Invalid instead of the actual invalid value sent in the request. Amazon Cognito token refresh requests are not included in this metric. There is a separate metric that provides Refresh token statistics. Count UserPool, UserPoolClient
TokenRefreshSuccesses Provides the total number of successful Amazon Cognito token refresh requests sent to Amazon Cognito user pools. A successful Amazon Cognito token refresh request generates a value of 1, while an unsuccessful request generates a value of 0. Restricted requests are also considered unsuccessful, so a restricted request will also produce a count of 0. To find the percentage of successful Amazon Cognito token refresh requests, use the Average statistics for this metric. To calculate the total number of Amazon Cognito token refresh requests, use the Sample Count statistics for this metric. To calculate the total number of successful Amazon Cognito token refresh requests, use the Sum statistics for this metric. To calculate the total number of failed Amazon Cognito token refresh requests, use CloudWatch Math expressions and subtract the Sample Count data from the Sum statistics data. This metric is published for each user pool client. If there is an invalid user pool client in the request, the user pool client value contains a fixed value Invalid. Count UserPool, UserPoolClient
TokenRefreshThrottles Provides the total number of restricted Amazon Cognito token refresh requests sent to Amazon Cognito user pools. When an Amazon Cognito token refresh request is restricted, a count of 1 is published. To calculate the total number of restricted Amazon Cognito token refresh requests, use the Sum statistics for this metric. This metric is published for each user pool client. If an invalid user pool client is provided in the request, the corresponding user pool client value in the metric will contain a fixed value Invalid instead of the actual invalid value sent in the request. Bytes UserPool, UserPoolClient
FederationSuccesses Provides the total number of successful federation authentication requests sent to Amazon Cognito user pools. When Amazon Cognito issues an authentication token to the user, federation authentication is considered successful. A successful federation authentication request generates a value of 1, while an unsuccessful request generates a value of 0. Throttled requests and requests that generate authorization codes but no tokens generate a value of 0. To find the percentage of successful federation authentication requests, use the Average statistics for this metric. To calculate the total number of federation authentication requests, use the Sample Count statistics for this metric. To calculate the total number of successful federation authentication requests, use the Sum statistics for this metric. To calculate the total number of failed federation requests, use CloudWatch Math expressions and subtract the Sample Count data from the Sum statistics data. Count UserPool, UserPoolClient, IdentityProvider
FederationThrottles Provides the total number of restricted federation authentication requests sent to Amazon Cognito user pools. When a federation authentication request is restricted, a count of 1 is published. To calculate the total number of restricted federation authentication requests, use the Sum statistics for this metric. Count UserPool, UserPoolClient, IdentityProvider
CallCount Provides the total number of calls related to categories issued by customers. This metric includes all calls, such as throttled calls, failed calls, and successful calls. Each AWS account must use category quotas across all user pools in the account and region. You can use the Sum statistics for this metric to calculate the total number of calls. Count Service, Type, Resource, Class
ThrottleCount Provides the total number of throttled calls related to categories. This metric is published at the account level. You can use the Sum statistics for this metric to calculate the total number of calls in a category. Count Service, Type, Resource, Class

View Threat Protection Metrics

Metric Name Description Metric Dimensions Namespace
CompromisedCredentialRisk Requests where Amazon Cognito detects leaked credentials
  • Operation: Action types (PasswordChange, SignIn, or SignUp)
  • UserPoolId: Identifier for the user pool
  • RiskLevel: High (default), Medium, or Low
 AWS/Cognito
AccountTakeoverRisk Requests where Amazon Cognito detects account takeover risks
  • Operation: Action types (PasswordChange, SignIn, or SignUp)
  • UserPoolId: Identifier for the user pool
  • RiskLevel: High, Medium, or Low
 AWS/Cognito
OverrideBlock Requests blocked by Amazon Cognito due to developer-provided configurations
  • Operation: Action types (PasswordChange, SignIn, or SignUp)
  • UserPoolId: Identifier for the user pool
  • RiskLevel: High, Medium, or Low
 AWS/Cognito
Risk Requests marked as risky by Amazon Cognito
  • Operation: Action types (PasswordChange, SignIn, or SignUp)
  • UserPoolId: Identifier for the user pool
 AWS/Cognito
NoRisk Requests where Amazon Cognito does not identify any risks
  • Operation: Action types (PasswordChange, SignIn, or SignUp)
  • UserPoolId: Identifier for the user pool
 AWS/Cognito

Feedback

Is this page helpful? ×