v1.2.1

Release Notes: Pre-Token Generation Lambda Trigger - Security Enhancement

Security Issue Resolved

• Fixed critical security vulnerability where removed IdC admin users could temporarily retain admin privileges through API access
• Previously, group membership updates occurred after token generation, allowing one final session with elevated permissions
• Users removed from IdC admin groups could potentially maintain admin API access for up to 24 hours via refresh tokens

Technical Solution

• Implemented pre-token generation Lambda trigger in Cognito authentication flow
• Moved group membership synchronization logic to execute before token generation
• Ensures JWT tokens only contain current, verified group memberships from IdC
• Prevents temporary privilege retention when admin access is removed in IdC

Impact

This security enhancement ensures:

• Immediate enforcement of IdC group membership changes
• No gap between IdC admin removal and permission revocation
• Consistent security state between IdC and AWS access
• Protection against potential privilege escalation via API calls

Technical Details

• Added Lambda trigger to Cognito User Pool pre-token generation phase
• Validates current IdC group memberships before token claims are generated
• Synchronizes Cognito groups with IdC groups in real-time
• Prevents generation of tokens with stale admin permissions

Requirements

• Update to latest version to receive this security enhancement
• No configuration changes needed - automatically enforced by pre-token generation
• Existing sessions will still need to expire or be revoked