We are in the process of setting up api gateway with Lamba function behind it. The setup uses aws cognito authorizer. We have the VPC endpoint for api gateway so that is reachable through private IP.
But cognito does not support private links so we can't have the VPC endpoint for it. So this means the token issued by Cognito has to travel from https://ourdomain.auth.ap-southeast-2.amazoncognito.com to client over the internet.
Cognito documentation says following for data in transit:-
" Encryption in transit
All requests to Amazon Cognito must be made over the Transport Layer Security protocol (TLS). Clients must support Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes."
According to above the token should be encrypted.
But I have following questions:
Is TLS (1.2) enforced for Cognito?
with encryption in transit being available would security best practices still dictate having Cognito available through VPC endpoint so that the token does not need to travel on internet.
if a client application is coming from on-prem environment and accessing the api then if we make it go through a proxy in AWS then will the traffic remain in AWS backbone network or still flow through internet?
Is TLS (1.2) enforced for Cognito:
Unfortunately, no. For most API calls you could use API Gateway as a layer in between and enforce TLS1.2 there. However, for the AUTHORIZATION and TOKEN endpoints this does not work. Alternatively, you can enforce it for all endpoints by deploying Cognito to the US regions and using the FIPS endpoints of Cognito there. See https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html for the available FIPS endpoints.
with encryption in transit being available would security best practices still dictate having Cognito available through VPC endpoint so that the token does not need to travel on internet:
That all depends on your risk appetite. For most organizations, encryption will be sufficient. However if your risk appetite is lower, you'll want extra mitigations, following the "defense in depth" best practice. Private connectivity is just one option of many you could add. Monitoring on suspicious user activity and adaptive MFA are other methods for example.
if a client application is coming from on-prem environment and accessing the API then if we make it go through a proxy in AWS then will the traffic remain in AWS backbone network or still flow through internet?
As the API endpoints are public, they will go over the internet (public ip address, so it's routed to a NAT gateway or internet gateway).
EDIT: In this press release, AWS states all endpoints have TLS1.2 minimum: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/. However, I haven't tested if this also applies to non-control-plane APIs like the ones mentioned above.