Ensure important Cognito events are logged.

[adunkman]

As introduced in https://github.com/ustaxcourt/ef-cms/pull/719, our Logging in EF-CMS documentation highlights a few key logging blind spots in Cognito:

• AWS: Cognito user login (and login failure) — not available when using the Cognito Hosted UI
• EF-CMS: Exchanging authorization codes for tokens (and failed exchanges) — not available when using the Cognito Hosted UI
• AWS: Role and account management is done through Cognito API requests — not logged.

If we shift approaches to use Cognito through EF-CMS API requests, our standard logging would capture these events.

[mark-meyer]

One note regarding brute force attempts at logging in. Cognito appears to rate limit failed logins:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.

[adunkman]

I really wish they logged in a place we could see. :sigh: