Amazon Cognito user pool client has Prevent User Existence Errors enabled
cognito_user_pool_client_prevent_user_existence_errors
Amazon Cognito app clients use PreventUserExistenceErrors to suppress user-existence disclosures, keeping authentication, confirmation, and recovery responses generic rather than indicating whether a username exists.
Risk
If responses reveal user existence, adversaries can enumerate accounts, enabling targeted credential stuffing, brute force, and password-reset abuse. This facilitates account takeover, leaks PII, and can degrade availability through automated lockouts.
prowler aws --checks cognito_user_pool_client_prevent_user_existence_errors
Recommendation
Enable user-existence suppression on all app clients (PreventUserExistenceErrors=ENABLED). Apply least disclosure with generic messages across all auth flows and aliases. Strengthen with MFA, rate limiting, and anomalous login detection for defense in depth.
Remediation
aws cognito-idp update-user-pool-client --user-pool-id <USER_POOL_ID> --client-id <APP_CLIENT_ID> --prevent-user-existence-errors ENABLED
- Open the Amazon Cognito console and go to User pools
- Select your user pool, then go to App integration > App clients
- Choose the target app client and click Edit
- Set Prevent user existence errors to Enabled
- Click Save changes
Source Code
Resource Type
Other
References
- https://repost.aws/knowledge-center/cognito-prevent-user-existence-errors
- https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
- https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.html