add explicit token duration config for both JWTs (#1698)

- Enhancement - Add explicit token duration (60 min) over default 60 min - #1682 Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
data-dot-all · Dec 4, 2024 · 757abdd · 757abdd
1 parent 48b6b76
commit 757abdd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/deploy/stacks/cognito.py b/deploy/stacks/cognito.py
@@ -21,6 +21,7 @@
 from .pyNestedStack import pyNestedClass
 from .solution_bundling import SolutionBundling
 from .waf_rules import get_waf_rules
+from .iam_utils import get_tooling_account_external_id
 
 
 class IdpStack(pyNestedClass):
@@ -99,13 +100,16 @@ def __init__(
                 domain_prefix=f"{resource_prefix.replace('-', '')}{envname}{self.region.replace('-', '')}{self.account}"
             ),
         )
+        jwt_token_duration = 180 if with_approval_tests else 60
         self.client = cognito.UserPoolClient(
             self,
             f'AppClient-{envname}',
             user_pool=self.user_pool,
             auth_flows=AuthFlow(user_password=with_approval_tests, user_srp=True, custom=True),
             prevent_user_existence_errors=True,
             refresh_token_validity=Duration.minutes(cognito_user_session_timeout_inmins),
+            id_token_validity=Duration.minutes(jwt_token_duration),
+            access_token_validity=Duration.minutes(jwt_token_duration),
         )
 
         if enable_cw_rum:
@@ -198,6 +202,7 @@ def __init__(
             f'{resource_prefix}-{envname}-cognito-config-role',
             role_name=f'{resource_prefix}-{envname}-cognito-config-role',
             assumed_by=iam.AccountPrincipal(tooling_account_id),
+            external_ids=[get_tooling_account_external_id(self.account)],
         )
         cross_account_frontend_config_role.add_to_policy(
             iam.PolicyStatement(