Description
This policy identifies Amazon Cognito user pools with password policies that do not meet a strong password baseline.
Rationaleβ
Amazon Cognito user pools often store local application identities and issue authentication tokens to connected applications. Weak password requirements make brute-force attempts, credential stuffing, and password reuse attacks more likely to succeed.
Requiring a minimum password length, mixed character types, and a short temporary password validity period helps reduce the risk of unauthorized access and improves the security posture of user pools that support username-password authentication.
Auditβ
This policy flags a Cognito User Pool as INCOMPLIANT when any of the following is true:
Password Policy Minimum Lengthis less than 8Password Policy Is Require Lowercaseis not truePassword Policy Is Require Uppercaseis not truePassword Policy Is Require Numbersis not truePassword Policy Is Require Symbolsis not truePassword Policy Temporary Validity Daysis greater than 7