π‘οΈ AWS Cognito User Pool Deletion Protection is not enabledπ’
- Contextual name: π‘οΈ User Pool Deletion Protection is not enabledπ’
- ID:
/ce/ca/aws/cognito/user-pool-deletion-protection - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [Cognito.6] Cognito user pools should have deletion protection enabled
Descriptionβ
Descriptionβ
This policy identifies Amazon Cognito user pools that do not have deletion protection enabled.
Rationaleβ
Amazon Cognito user pools often back production sign-in, registration, password recovery, and token issuance flows. Accidental deletion of a user pool can immediately disrupt authentication for dependent applications and may require complex restoration or full recreation of the identity store.
Enabling deletion protection adds an explicit administrative safeguard. Before a user pool can be deleted, an administrator must first disable deletion protection, which reduces the likelihood of unintended removal caused by manual error, rushed operational changes, or misconfigured automation.
Auditβ
This policy flags an AWS Cognito User Pool as
INCOMPLIANTwhenDeletion Protectionis INACTIVE.
Remediationβ
Remediationβ
Enable Deletion Protectionβ
To reduce the risk of accidental deletion, enable deletion protection on the Cognito user pool.
From Command Lineβ
aws cognito-idp update-user-pool \
--region {{region}} \
--user-pool-id {{user-pool-id}} \
--deletion-protection ACTIVEAfter the change, review any administrative procedures or automation that intentionally delete user pools to ensure they explicitly disable deletion protection as part of an approved decommissioning workflow.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Cognito.6] Cognito user pools should have deletion protection enabled | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ System Configuration | 58 | no data |