🛡️ AWS Cognito User Pool Password Policy is not strong🟢

Contextual name: 🛡️ User Pool Password Policy is not strong🟢
ID: /ce/ca/aws/cognito/user-pool-strong-password-policy
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Cognito User Pool
- 🔌 AWS Cognito User Pool - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Cognito.3] Password policies for Cognito user pools should have strong configurations

Description

Description

This policy identifies Amazon Cognito user pools with password policies that do not meet a strong password baseline.

Rationale

Amazon Cognito user pools often store local application identities and issue authentication tokens to connected applications. Weak password requirements make brute-force attempts, credential stuffing, and password reuse attacks more likely to succeed.

Requiring a minimum password length, mixed character types, and a short temporary password validity period helps reduce the risk of unauthorized access and improves the security posture of user pools that support username-password authentication.

Audit

This policy flags a Cognito User Pool as INCOMPLIANT when any of the following is true:

Password Policy Minimum Length is less than 8

Password Policy Is Require Lowercase is not true

Password Policy Is Require Uppercase is not true

Password Policy Is Require Numbers is not true

Password Policy Is Require Symbols is not true

Password Policy Temporary Validity Days is greater than 7

Remediation

Open File

Remediation

Strengthen the User Pool Password Policy

Update the Cognito user pool password policy to require a minimum length of at least 8 characters, uppercase and lowercase letters, numbers, symbols, and a temporary password validity period of 7 days or fewer.

From Command Line
aws cognito-idp update-user-pool \
    --region {{region}} \
    --user-pool-id {{user-pool-id}} \
    --policies '{
      "PasswordPolicy": {
        "MinimumLength": 8,
        "RequireUppercase": true,
        "RequireLowercase": true,
        "RequireNumbers": true,
        "RequireSymbols": true,
        "TemporaryPasswordValidityDays": 7
      }
    }'
If you intentionally rely on alternative authentication patterns, verify that the user pool configuration and application design are formally approved before accepting weaker password settings.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Cognito.3] Password policies for Cognito user pools should have strong configurations			1		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			29		no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Strengthen the User Pool Password Policy​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Strengthen the User Pool Password Policy

From Command Line

policy.yaml

Linked Framework Sections