--- policy: /ce/ca/aws/cognito/user-pool-strong-password-policy logic: /ce/ca/aws/cognito/user-pool-strong-password-policy/prod.logic.yaml executionTime: 2026-04-25T12:02:20.140864329Z generationMs: 78 executionMs: 2072 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10A1__disappearanceTime__c) actual: isDisappeared(CA10A1__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10A1__passwordPolicyMinimumLength__c') < number(8.0) actual: extract('CA10A1__passwordPolicyMinimumLength__c') < number(8.0) runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10A1__passwordPolicyIsRequireLowercase__c') != 'true' actual: extract('CA10A1__passwordPolicyIsRequireLowercase__c') != 'true' runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10A1__passwordPolicyIsRequireUppercase__c') != 'true' actual: extract('CA10A1__passwordPolicyIsRequireUppercase__c') != 'true' runtimeError: {} - id: test5 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: extract('CA10A1__passwordPolicyIsRequireNumbers__c') != 'true' actual: extract('CA10A1__passwordPolicyIsRequireNumbers__c') != 'true' runtimeError: {} - id: test6 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 599 actual: 599 conditionText: expected: extract('CA10A1__passwordPolicyIsRequireSymbols__c') != 'true' actual: extract('CA10A1__passwordPolicyIsRequireSymbols__c') != 'true' runtimeError: {} - id: test7 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 699 actual: 699 conditionText: expected: extract('CA10A1__passwordPolicyTemporaryValidityDays__c') > number(7.0) actual: extract('CA10A1__passwordPolicyTemporaryValidityDays__c') > number(7.0) runtimeError: {} - id: test8 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 799 actual: 799 conditionText: expected: extract('CA10A1__passwordPolicyMinimumLength__c') >= number(8.0) && extract('CA10A1__passwordPolicyIsRequireLowercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireUppercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireNumbers__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireSymbols__c') == 'true' && extract('CA10A1__passwordPolicyTemporaryValidityDays__c') <= number(7.0) actual: extract('CA10A1__passwordPolicyMinimumLength__c') >= number(8.0) && extract('CA10A1__passwordPolicyIsRequireLowercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireUppercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireNumbers__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireSymbols__c') == 'true' && extract('CA10A1__passwordPolicyTemporaryValidityDays__c') <= number(7.0) runtimeError: {} usedFiles: - path: /ce/ca/aws/cognito/user-pool-strong-password-policy/policy.yaml md5Hash: D3CDDC289E1987A8EA726954736780C4 content: | --- names: full: "AWS Cognito User Pool Password Policy is not strong" contextual: "User Pool Password Policy is not strong" description: > Ensure that Amazon Cognito user pools enforce strong password requirements. Strong password policies require a minimum length, uppercase and lowercase letters, numbers, symbols, and a temporary password validity period of 7 days or fewer. type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management" - "/frameworks/aws-fsbp-v1.0.0/cognito/03" similarPolicies: awsSecurityHub: - name: "[Cognito.3] Password policies for Cognito user pools should have strong configurations" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-3" - path: /ce/ca/aws/cognito/user-pool-strong-password-policy/prod.logic.yaml md5Hash: C34B038B642DD55AEA159A0532FB2081 content: | --- inputType: "CA10A1__CaAwsCognitoUserPool__c" importExtracts: - file: "/types/CA10A1__CaAwsCognitoUserPool__c/object.extracts.yaml" testData: - file: "test-data.json" conditions: - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool password policy minimum length is less than 8 characters." remediationMessage: "Set the Cognito user pool password policy minimum length to at least 8 characters." check: LESS_THAN: left: EXTRACT: "CA10A1__passwordPolicyMinimumLength__c" right: NUMBER: 8.0 - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool password policy does not require lowercase letters." remediationMessage: "Require at least one lowercase letter in the Cognito user pool password policy." check: NOT_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireLowercase__c" right: TEXT: "true" - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool password policy does not require uppercase letters." remediationMessage: "Require at least one uppercase letter in the Cognito user pool password policy." check: NOT_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireUppercase__c" right: TEXT: "true" - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool password policy does not require numbers." remediationMessage: "Require at least one number in the Cognito user pool password policy." check: NOT_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireNumbers__c" right: TEXT: "true" - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool password policy does not require symbols." remediationMessage: "Require at least one symbol in the Cognito user pool password policy." check: NOT_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireSymbols__c" right: TEXT: "true" - status: "INCOMPLIANT" currentStateMessage: "The Cognito user pool temporary password validity period is greater than 7 days." remediationMessage: "Set the Cognito user pool temporary password validity period to 7 days or fewer." check: GREATER_THAN: left: EXTRACT: "CA10A1__passwordPolicyTemporaryValidityDays__c" right: NUMBER: 7.0 - status: "COMPLIANT" currentStateMessage: "The Cognito user pool password policy requires a minimum\ \ length of at least 8 characters, requires uppercase and lowercase letters,\ \ numbers, and symbols, and limits temporary passwords to 7 days or fewer." check: AND: args: - GREATER_THAN_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyMinimumLength__c" right: NUMBER: 8.0 - IS_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireLowercase__c" right: TEXT: "true" - IS_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireUppercase__c" right: TEXT: "true" - IS_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireNumbers__c" right: TEXT: "true" - IS_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyIsRequireSymbols__c" right: TEXT: "true" - LESS_THAN_EQUAL: left: EXTRACT: "CA10A1__passwordPolicyTemporaryValidityDays__c" right: NUMBER: 7.0 otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected values were found in the Cognito user pool password policy settings." - path: /ce/ca/aws/cognito/user-pool-strong-password-policy/test-data.json md5Hash: C9B6FA71C4F2989B9931A5A9682F6C4F content: | [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": "2026-04-15T12:00:00Z", "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test1" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "extract('CA10A1__passwordPolicyMinimumLength__c') < number(8.0)", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 6, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test2" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10A1__passwordPolicyIsRequireLowercase__c') != 'true'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "false", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test3" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10A1__passwordPolicyIsRequireUppercase__c') != 'true'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "false", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test4" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "499", "conditionText": "extract('CA10A1__passwordPolicyIsRequireNumbers__c') != 'true'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "false", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test5" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "599", "conditionText": "extract('CA10A1__passwordPolicyIsRequireSymbols__c') != 'true'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "false", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test6" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "699", "conditionText": "extract('CA10A1__passwordPolicyTemporaryValidityDays__c') > number(7.0)", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 30, "Id": "test7" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "799", "conditionText": "extract('CA10A1__passwordPolicyMinimumLength__c') >= number(8.0) && extract('CA10A1__passwordPolicyIsRequireLowercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireUppercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireNumbers__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireSymbols__c') == 'true' && extract('CA10A1__passwordPolicyTemporaryValidityDays__c') <= number(7.0)", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__passwordPolicyMinimumLength__c": 12, "CA10A1__passwordPolicyIsRequireLowercase__c": "true", "CA10A1__passwordPolicyIsRequireUppercase__c": "true", "CA10A1__passwordPolicyIsRequireNumbers__c": "true", "CA10A1__passwordPolicyIsRequireSymbols__c": "true", "CA10A1__passwordPolicyTemporaryValidityDays__c": 7, "Id": "test8" } ] - path: /types/CA10A1__CaAwsCognitoUserPool__c/object.extracts.yaml md5Hash: 603EF3950C35BC470402E6CAE7F5DF68 content: | --- extracts: # Values: ACTIVE | INACTIVE. Not nullable. Retrieved via cognito-idp:DescribeUserPool - name: CA10A1__deletionProtection__c value: FIELD: path: CA10A1__deletionProtection__c undeterminedIf: isEmpty: "Deletion Protection should not be empty. Possibly corrupted data." # Values: OFF | ON | OPTIONAL. Not nullable. Retrieved via cognito-idp:DescribeUserPool - name: CA10A1__mfaConfiguration__c value: FIELD: path: CA10A1__mfaConfiguration__c undeterminedIf: isEmpty: "MFA Configuration should not be empty. Possibly corrupted data." # Number. Not nullable. Retrieved via cognito-idp:DescribeUserPool - name: CA10A1__passwordPolicyMinimumLength__c value: FIELD: path: CA10A1__passwordPolicyMinimumLength__c # Values: true | false. Not nullable. Retrieved via cognito-idp:DescribeUserPool - name: CA10A1__passwordPolicyIsRequireLowercase__c value: FIELD: path: CA10A1__passwordPolicyIsRequireLowercase__c undeterminedIf: isEmpty: "Password Policy Require Lowercase should not be empty. Possibly corrupted data." - name: CA10A1__passwordPolicyIsRequireUppercase__c value: FIELD: path: CA10A1__passwordPolicyIsRequireUppercase__c undeterminedIf: isEmpty: "Password Policy Require Uppercase should not be empty. Possibly corrupted data." - name: CA10A1__passwordPolicyIsRequireNumbers__c value: FIELD: path: CA10A1__passwordPolicyIsRequireNumbers__c undeterminedIf: isEmpty: "Password Policy Require Numbers should not be empty. Possibly corrupted data." - name: CA10A1__passwordPolicyIsRequireSymbols__c value: FIELD: path: CA10A1__passwordPolicyIsRequireSymbols__c undeterminedIf: isEmpty: "Password Policy Require Symbols should not be empty. Possibly corrupted data." # Number. Not nullable. Retrieved via cognito-idp:DescribeUserPool - name: CA10A1__passwordPolicyTemporaryValidityDays__c value: FIELD: path: CA10A1__passwordPolicyTemporaryValidityDays__c script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "extract('CA10A1__passwordPolicyMinimumLength__c') < number(8.0)", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10A1__passwordPolicyIsRequireLowercase__c') != 'true'", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10A1__passwordPolicyIsRequireUppercase__c') != 'true'", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "499", "conditionText" : "extract('CA10A1__passwordPolicyIsRequireNumbers__c') != 'true'", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "599", "conditionText" : "extract('CA10A1__passwordPolicyIsRequireSymbols__c') != 'true'", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "699", "conditionText" : "extract('CA10A1__passwordPolicyTemporaryValidityDays__c') > number(7.0)", "runtimeError" : null } }, { "Id" : "test8", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "799", "conditionText" : "extract('CA10A1__passwordPolicyMinimumLength__c') >= number(8.0) && extract('CA10A1__passwordPolicyIsRequireLowercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireUppercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireNumbers__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireSymbols__c') == 'true' && extract('CA10A1__passwordPolicyTemporaryValidityDays__c') <= number(7.0)", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10A1__CaAwsCognitoUserPool__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__disappearanceTime__c" : new Date("2026-04-15T12:00:00Z"), "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 6, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "false", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "false", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "false", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "false", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test6" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 30, "Id" : "test7" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__passwordPolicyMinimumLength__c" : 12, "CA10A1__passwordPolicyIsRequireLowercase__c" : "true", "CA10A1__passwordPolicyIsRequireUppercase__c" : "true", "CA10A1__passwordPolicyIsRequireNumbers__c" : "true", "CA10A1__passwordPolicyIsRequireSymbols__c" : "true", "CA10A1__passwordPolicyTemporaryValidityDays__c" : 7, "Id" : "test8" } ]; """; CREATE TEMP FUNCTION process_CA10A1__CaAwsCognitoUserPool__c( obj STRUCT< CA10A1__disappearanceTime__c TIMESTAMP, CA10A1__passwordPolicyMinimumLength__c FLOAT64, CA10A1__passwordPolicyIsRequireLowercase__c STRING, CA10A1__passwordPolicyIsRequireUppercase__c STRING, CA10A1__passwordPolicyIsRequireNumbers__c STRING, CA10A1__passwordPolicyIsRequireSymbols__c STRING, CA10A1__passwordPolicyTemporaryValidityDays__c FLOAT64, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10A1__disappearanceTime__c]: ' + obj.CA10A1__disappearanceTime__c); if (obj.CA10A1__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10A1__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract4() { if (!this.out) { this.out = obj.CA10A1__passwordPolicyMinimumLength__c; } return this.out; }; references1.push('Password Policy Minimum Length [obj.CA10A1__passwordPolicyMinimumLength__c]: ' + obj.CA10A1__passwordPolicyMinimumLength__c); if (extract4.call(extract4) != null && 8.0 != null && extract4.call(extract4) < 8.0) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10A1__passwordPolicyMinimumLength__c') < number(8.0)", currentStateMessage: "The Cognito user pool password policy minimum length is less than 8 characters.", currentStateReferences: references1.join('\n'), remediation: "Set the Cognito user pool password policy minimum length to at least 8 characters.", runtimeError: null}; } // condition[2], conditionIndex:[200..299] function fieldChecked8() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireLowercase__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10A1__passwordPolicyIsRequireLowercase__c.isEmpty()", currentStateMessage: "Password Policy Require Lowercase should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireLowercase__c; } function extract7() { if (!this.out) { this.out = fieldChecked8(); } return this.out; }; references1.push('Password Policy Is Require Lowercase [obj.CA10A1__passwordPolicyIsRequireLowercase__c]: ' + obj.CA10A1__passwordPolicyIsRequireLowercase__c); try { if (TextLib.notEqual(extract7.call(extract7), 'true')) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10A1__passwordPolicyIsRequireLowercase__c') != 'true'", currentStateMessage: "The Cognito user pool password policy does not require lowercase letters.", currentStateReferences: references1.join('\n'), remediation: "Require at least one lowercase letter in the Cognito user pool password policy.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function fieldChecked11() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireUppercase__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10A1__passwordPolicyIsRequireUppercase__c.isEmpty()", currentStateMessage: "Password Policy Require Uppercase should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireUppercase__c; } function extract10() { if (!this.out) { this.out = fieldChecked11(); } return this.out; }; references1.push('Password Policy Is Require Uppercase [obj.CA10A1__passwordPolicyIsRequireUppercase__c]: ' + obj.CA10A1__passwordPolicyIsRequireUppercase__c); try { if (TextLib.notEqual(extract10.call(extract10), 'true')) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "extract('CA10A1__passwordPolicyIsRequireUppercase__c') != 'true'", currentStateMessage: "The Cognito user pool password policy does not require uppercase letters.", currentStateReferences: references1.join('\n'), remediation: "Require at least one uppercase letter in the Cognito user pool password policy.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[4], conditionIndex:[400..499] function fieldChecked14() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireNumbers__c)) { throw new Error("UNDETERMINED condition:401", {cause: {status: 'UNDETERMINED', conditionIndex: 401, conditionText: "CA10A1__passwordPolicyIsRequireNumbers__c.isEmpty()", currentStateMessage: "Password Policy Require Numbers should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireNumbers__c; } function extract13() { if (!this.out) { this.out = fieldChecked14(); } return this.out; }; references1.push('Password Policy Is Require Numbers [obj.CA10A1__passwordPolicyIsRequireNumbers__c]: ' + obj.CA10A1__passwordPolicyIsRequireNumbers__c); try { if (TextLib.notEqual(extract13.call(extract13), 'true')) { return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "extract('CA10A1__passwordPolicyIsRequireNumbers__c') != 'true'", currentStateMessage: "The Cognito user pool password policy does not require numbers.", currentStateReferences: references1.join('\n'), remediation: "Require at least one number in the Cognito user pool password policy.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[5], conditionIndex:[500..599] function fieldChecked17() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireSymbols__c)) { throw new Error("UNDETERMINED condition:501", {cause: {status: 'UNDETERMINED', conditionIndex: 501, conditionText: "CA10A1__passwordPolicyIsRequireSymbols__c.isEmpty()", currentStateMessage: "Password Policy Require Symbols should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireSymbols__c; } function extract16() { if (!this.out) { this.out = fieldChecked17(); } return this.out; }; references1.push('Password Policy Is Require Symbols [obj.CA10A1__passwordPolicyIsRequireSymbols__c]: ' + obj.CA10A1__passwordPolicyIsRequireSymbols__c); try { if (TextLib.notEqual(extract16.call(extract16), 'true')) { return {status: 'INCOMPLIANT', conditionIndex: 599, conditionText: "extract('CA10A1__passwordPolicyIsRequireSymbols__c') != 'true'", currentStateMessage: "The Cognito user pool password policy does not require symbols.", currentStateReferences: references1.join('\n'), remediation: "Require at least one symbol in the Cognito user pool password policy.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[6], conditionIndex:[600..699] function extract20() { if (!this.out) { this.out = obj.CA10A1__passwordPolicyTemporaryValidityDays__c; } return this.out; }; references1.push('Password Policy Temporary Validity Days [obj.CA10A1__passwordPolicyTemporaryValidityDays__c]: ' + obj.CA10A1__passwordPolicyTemporaryValidityDays__c); if (extract20.call(extract20) != null && 7.0 != null && extract20.call(extract20) > 7.0) { return {status: 'INCOMPLIANT', conditionIndex: 699, conditionText: "extract('CA10A1__passwordPolicyTemporaryValidityDays__c') > number(7.0)", currentStateMessage: "The Cognito user pool temporary password validity period is greater than 7 days.", currentStateReferences: references1.join('\n'), remediation: "Set the Cognito user pool temporary password validity period to 7 days or fewer.", runtimeError: null}; } // condition[7], conditionIndex:[700..799] function extract24() { if (!this.out) { this.out = obj.CA10A1__passwordPolicyMinimumLength__c; } return this.out; }; function fieldChecked28() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireLowercase__c)) { throw new Error("UNDETERMINED condition:701", {cause: {status: 'UNDETERMINED', conditionIndex: 701, conditionText: "CA10A1__passwordPolicyIsRequireLowercase__c.isEmpty()", currentStateMessage: "Password Policy Require Lowercase should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireLowercase__c; } function extract27() { if (!this.out) { this.out = fieldChecked28(); } return this.out; }; function fieldChecked31() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireUppercase__c)) { throw new Error("UNDETERMINED condition:702", {cause: {status: 'UNDETERMINED', conditionIndex: 702, conditionText: "CA10A1__passwordPolicyIsRequireUppercase__c.isEmpty()", currentStateMessage: "Password Policy Require Uppercase should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireUppercase__c; } function extract30() { if (!this.out) { this.out = fieldChecked31(); } return this.out; }; function fieldChecked34() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireNumbers__c)) { throw new Error("UNDETERMINED condition:703", {cause: {status: 'UNDETERMINED', conditionIndex: 703, conditionText: "CA10A1__passwordPolicyIsRequireNumbers__c.isEmpty()", currentStateMessage: "Password Policy Require Numbers should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireNumbers__c; } function extract33() { if (!this.out) { this.out = fieldChecked34(); } return this.out; }; function fieldChecked37() { if (TextLib.isEmpty(obj.CA10A1__passwordPolicyIsRequireSymbols__c)) { throw new Error("UNDETERMINED condition:704", {cause: {status: 'UNDETERMINED', conditionIndex: 704, conditionText: "CA10A1__passwordPolicyIsRequireSymbols__c.isEmpty()", currentStateMessage: "Password Policy Require Symbols should not be empty. Possibly corrupted data.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10A1__passwordPolicyIsRequireSymbols__c; } function extract36() { if (!this.out) { this.out = fieldChecked37(); } return this.out; }; function extract40() { if (!this.out) { this.out = obj.CA10A1__passwordPolicyTemporaryValidityDays__c; } return this.out; }; try { if ((extract24.call(extract24) != null && 8.0 != null && extract24.call(extract24) >= 8.0) && TextLib.equal(extract27.call(extract27), 'true') && TextLib.equal(extract30.call(extract30), 'true') && TextLib.equal(extract33.call(extract33), 'true') && TextLib.equal(extract36.call(extract36), 'true') && (extract40.call(extract40) != null && 7.0 != null && extract40.call(extract40) <= 7.0)) { return {status: 'COMPLIANT', conditionIndex: 799, conditionText: "extract('CA10A1__passwordPolicyMinimumLength__c') >= number(8.0) && extract('CA10A1__passwordPolicyIsRequireLowercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireUppercase__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireNumbers__c') == 'true' && extract('CA10A1__passwordPolicyIsRequireSymbols__c') == 'true' && extract('CA10A1__passwordPolicyTemporaryValidityDays__c') <= number(7.0)", currentStateMessage: "The Cognito user pool password policy requires a minimum length of at least 8 characters, requires uppercase and lowercase letters, numbers, and symbols, and limits temporary passwords to 7 days or fewer.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'UNDETERMINED', conditionIndex: 800, conditionText: "otherwise", currentStateMessage: "Unexpected values were found in the Cognito user pool password policy settings.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__passwordPolicyMinimumLength__c AS CA10A1__passwordPolicyMinimumLength__c, sObject.CA10A1__passwordPolicyIsRequireLowercase__c AS CA10A1__passwordPolicyIsRequireLowercase__c, sObject.CA10A1__passwordPolicyIsRequireUppercase__c AS CA10A1__passwordPolicyIsRequireUppercase__c, sObject.CA10A1__passwordPolicyIsRequireNumbers__c AS CA10A1__passwordPolicyIsRequireNumbers__c, sObject.CA10A1__passwordPolicyIsRequireSymbols__c AS CA10A1__passwordPolicyIsRequireSymbols__c, sObject.CA10A1__passwordPolicyTemporaryValidityDays__c AS CA10A1__passwordPolicyTemporaryValidityDays__c, sObject.Id AS Id, process_CA10A1__CaAwsCognitoUserPool__c( STRUCT( sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__passwordPolicyMinimumLength__c AS CA10A1__passwordPolicyMinimumLength__c, sObject.CA10A1__passwordPolicyIsRequireLowercase__c AS CA10A1__passwordPolicyIsRequireLowercase__c, sObject.CA10A1__passwordPolicyIsRequireUppercase__c AS CA10A1__passwordPolicyIsRequireUppercase__c, sObject.CA10A1__passwordPolicyIsRequireNumbers__c AS CA10A1__passwordPolicyIsRequireNumbers__c, sObject.CA10A1__passwordPolicyIsRequireSymbols__c AS CA10A1__passwordPolicyIsRequireSymbols__c, sObject.CA10A1__passwordPolicyTemporaryValidityDays__c AS CA10A1__passwordPolicyTemporaryValidityDays__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10A1__CaAwsCognitoUserPool__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;