Cognito user pool blocks sign-in attempts with suspected compromised credentials
cognito_user_pool_blocks_compromised_credentials_sign_in_attempts
Amazon Cognito user pool threat protection blocks sign-ins when compromised credentials are detected. Advanced security is ENFORCED, and the compromised-credentials policy applies a BLOCK action to sign-in events.
Risk
Allowing sign-in with leaked or reused passwords enables account takeover, exposing tokens and profile data (confidentiality), permitting unauthorized changes (integrity), and enabling abuse of linked APIs and sessions (availability impacts via misuse or lockout).
prowler aws --checks cognito_user_pool_blocks_compromised_credentials_sign_in_attempts
Recommendation
Enable threat protection with advanced security ENFORCED and set compromised-credential responses to BLOCK for sign-ins. Combine with adaptive authentication and MFA for higher assurance, monitor risk logs, and enforce strong password policies to prevent reuse-applying defense in depth.
Remediation
- In the AWS Console, go to Amazon Cognito > User pools and select <example_resource_name>
- Open Threat protection and click Activate (if not already active)
- Set Enforcement mode to Full function (this sets Advanced security to ENFORCED)
- Under Compromised credentials, ensure Event detection includes Sign-in and set Action to Block sign-in
- Click Save changes
Source Code
Resource Type
Other