cognito: Add configuration for Threat Protection enforcement level for the UserPool construct

[sashee]

Describe the feature

I could not find any way to set the Threat protection when using the UserPool construct.

To enable auth events logging I could configure the FeaturePlan but then there is no way to set the pool to audit.

This is possible with the CfnUserPool construct.

This should be configurable with the UserPool construct as well.

Use Case

I want to see the login, password change, and other events for users in a user pool. For this, I need to set two things:

• pricing plan to Plus
• threat protection level to AUDIT

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.176.0

Environment details (OS name and version, etc.)

Linux

[sashee]

As a workaround, it seems like it's possible to override it with a propertyOverride:

    const pool = new aws_cognito.UserPool(
      this,
      "Pool",
      {
        // ....
        featurePlan: aws_cognito.FeaturePlan.PLUS,
      }
    );

    pool.node.defaultChild.addPropertyOverride("UserPoolAddOns", {AdvancedSecurityMode: "AUDIT"});

[pahud]

Yes, while property override is always a working hack. We welcome PRs from the community to expose this to L2.

[badmintoncryer]

@sashee
You can configure this using the advancedSecurityMode property. However, this parameter has been deprecated...

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts#L1162

[IkeNefcy]

I'm not sure that deprecating was the right move. I think the change was maybe not fully understood.
Feature Plans (what the deprecation message says it was changing to) is only a method of unlocking new features. It's only a pricing change, then you can do more things. This Threat Protection is actually totally untouchable unless you are on the 3rd plan for this user pool (as mentioned in this issue's description). Once you unlock it, you still need to set the auth type etc in the Thread Protection tab.
What I'm saying is, Feature Plans is not a replacement for Threat Protection, and this should not have been deprecated. Instead we should consider 2 things.

• Is there a CFN for deciding the Feature Plan?
  • If Yes then we should add that feature and checks on AdvancedSecurityMode to check if that feature is enabled or not.
  • If No then get cfn coverage and in the mean team add a warning that AdvancedSecurityMode may not work correctly if the feature plan is not enabled. (Using AdvancedSecurityMode in CFN might even enable it automatically, still researching)

There already is a featurePlan? arg ! so perhaps we just need to un-deprecate advancedSecurityMode?

[IkeNefcy]

found #32367

[IkeNefcy]

more clarity that "Advanced Security" is deprecated in the sense that they just don't use that name. Rather it's now called "Threat protection", but the options are exactly the same.

However the name is the same in the l1
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnUserPool.UserPoolAddOnsProperty.html
and I doubt cfn is going to change this behavior, since it would be mega breaking. So we just need to rename it in CDK potentially ?