• JIT Access
        • Self Service Secure Passwordless Authentication

        • JIT Policies
        • Effective Access Policy Control for your entire organization

        • PAM
        • Simplified Privileged Access Management for the cloud and onPrem

        • JIT Approvals
        • Secure Custom Non Repudiation Approvals Management

        • Healthcare
        • Learn how to completely secure the Healthcare environment.

        • Legacy Devices
        • Learn how to leverage our JIT platform to secure your legacy and IOT devices.

        • Vulnerability Mitigation
        • Discover how using JIT Access and PAM can prevent a variety of CVE’s and attacks.

        • Compliance
        • Learn more about how our audit and compliance tools can help you maintain compliance.

        • Passwordless
        • Going passwordless doesn’t have to be hard. Find out how we can get you up and running fast.

        • Protecting Users with Intent
        • Upgrade your security, reduce costs and empower your users by capturing intent.

Amazon Cognito Integration

The Next Level3 AWS Cognito integration is designed to be used for your existing applications or sites that are using AWS Cognito for authentication. This integration will allow you to easily add Account Protection to any application the leverages AWS Cognito for authentication. 




– Application Authenticated via Amazon Cognito User Pools
– Next Level3 Company Account
– Signing Key created for an application in the Next Level3 Company Portal


Account Protection


The first step to add an NL3 Account Protection Check to an existing application that uses Amazon Cognito User Pools for authentication is to create a Lambda function that performs the lock check. Here is some sample Python code:

					import json
import os
import requests
import base64
import logging
from datetime import datetime
import jwt

def getLockStatus(token, api_uri, api_path, validationData):
  responseDict = {}
    headers_dict = {"x-nl3-authorization-token": token, "Content-Type": "application/json"}
    data_dict = {
      "userIP": validationData["ip"],
      "userDevice": validationData["device"],
      "userLocation": validationData["location"],
      "integrationType": "cognito",
      "integrationData": json.loads(validationData["additionalData"])
    response = requests.post("".join([api_uri,api_path]), headers=headers_dict, json=data_dict)
    responseDict = response.json()
  except Exception as e:
    responseDict = { "message": str(e) }

  return responseDict

def lambda_handler(event, context):
  if event["callerContext"]["clientId"] == os.environ["CLIENT_ID"]:
    username = event["userName"]
    claims = {
      "iss": os.environ["APP_URI"],
      "iat": (datetime.utcnow().timestamp() + (-1 * 60)),
      "exp": (datetime.utcnow().timestamp() + (5 * 60)),
      "aud": os.environ["API_URI"],
      "sub": username
    ### Ildeally the Signing Key would be stored and retrieved from a secrets manager
    ### and not an environmental variable
    decodedDomainToken = base64.b64decode(os.environ["SIGNING_KEY"])
    token = jwt.encode(
    response = getLockStatus(token, os.environ["API_URI"], os.environ["API_PATH"], event["request"]["validationData"])
    if response.get("locked", False):
      raise Exception(os.environ["LOCKED_MESSAGE"])

    # Return to Amazon Cognito
    return event

The next step is to configure the Amazon Cognito User Pool to call this Lambda function as a “Pre authentication” trigger by clicking on the User Pool and then selecting “Triggers” under “General Settings” in the side menu. Then, you will select the function you created in the drop-down box under “Pre authenticaiton” as follows:

Scroll to Top