Cognito user pool has advanced security enforced with full-function mode
cognito_user_pool_advanced_security_enabled
Amazon Cognito user pools are evaluated for Threat protection (advanced security) mode: ENFORCED (full-function) vs AUDIT or disabled. This indicates whether adaptive risk responses and compromised-credential checks are applied during authentication.
Risk
Without enforced threat protection, risky sign-ins aren't blocked-only logged-enabling credential stuffing, brute force, and account takeover. This threatens confidentiality and integrity via unauthorized access and token misuse, and can degrade availability through automated abuse.
prowler aws --checks cognito_user_pool_advanced_security_enabled
Recommendation
Set Threat protection to ENFORCED to apply automatic mitigations.
- Require step-up MFA on risky events
- Block compromised credentials
- Use IP allow/deny lists and export logs for monitoring
Baseline in
AUDIT, then enforce. Apply defense in depth and least privilege across apps and clients.
Remediation
aws cognito-idp update-user-pool --user-pool-id <example_resource_id> --user-pool-add-ons AdvancedSecurityMode=ENFORCED
- In the AWS Console, go to Cognito > User pools and select your pool
- Open Threat protection
- Click Activate (enable Plus feature plan if prompted)
- Set Enforcement mode to Full function (ENFORCED)
- Click Save changes
Source Code
Resource Type
Other