Skip to main content

πŸ›‘οΈ AWS Cognito User Pool Deletion Protection is not enabled🟒

  • Contextual name: πŸ›‘οΈ User Pool Deletion Protection is not enabled🟒
  • ID: /ce/ca/aws/cognito/user-pool-deletion-protection
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies Amazon Cognito user pools that do not have deletion protection enabled.

Rationale​

Amazon Cognito user pools often back production sign-in, registration, password recovery, and token issuance flows. Accidental deletion of a user pool can immediately disrupt authentication for dependent applications and may require complex restoration or full recreation of the identity store.

Enabling deletion protection adds an explicit administrative safeguard. Before a user pool can be deleted, an administrator must first disable deletion protection, which reduces the likelihood of unintended removal caused by manual error, rushed operational changes, or misconfigured automation.

Audit​

This policy flags an AWS Cognito User Pool as INCOMPLIANT when Deletion Protection is INACTIVE.

Remediation​

Open File

Remediation​

Enable Deletion Protection​

To reduce the risk of accidental deletion, enable deletion protection on the Cognito user pool.

From Command Line​
aws cognito-idp update-user-pool \
    --region {{region}} \
    --user-pool-id {{user-pool-id}} \
    --deletion-protection ACTIVE

After the change, review any administrative procedures or automation that intentionally delete user pools to ensure they explicitly disable deletion protection as part of an approved decommissioning workflow.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Cognito.6] Cognito user pools should have deletion protection enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration58no data