fix(cognito): fix logging behaviour for user pool client custom resource

[shikha372]

Issue # (if applicable)

GHSA GHSA-qq4x-c6h6-rfxh

Reason for this change

Problem Summary

Cognito User Pool Client secret being logged by a custom resource lambda function in the AWS Cloud Development Kit (CDK).

Root Cause

If the customer opts to generate a secret for the app client and refers to the field userPoolClientSecret, the getter method in CDK get userPoolClientSecret() triggers the creation of an AwsCustomResource to retrieve the client secret using an SDK API call (describeUserPoolClient). However, the API response includes the client secret value, which gets logged in the Lambda function.

Description of changes

• Change the logging behaviour in custom resource to hide logging of data associated with the API call response using Logging.withDataHidden().
• Add feature flag @aws-cdk/cognito:logUserPoolClientSecretValue to keep the existing logging behaviour for customers, by default the value is set to false to fix the identified vulnerability.

Describe any new or updated permissions being added

None

Description of how you validated changes

• Added unit test for both cases of feature flag.
• Modified integ test with overriden feature flag default value.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.39%. Comparing base (a67c3f5) to head (9258290).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33983   +/-   ##
=======================================
  Coverage   82.39%   82.39%           
=======================================
  Files         120      120           
  Lines        6960     6960           
  Branches     1175     1175           
=======================================
  Hits         5735     5735           
  Misses       1120     1120           
  Partials      105      105           

Flag	Coverage Δ
suite.unit	82.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.39% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 9258290
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.