Cognito user pool has deletion protection enabled
cognito_user_pool_deletion_protection_enabled
Amazon Cognito user pools have deletion protection set to ACTIVE. The evaluation inspects each user pool's deletion protection status.
Risk
Without deletion protection, any principal with delete rights can remove a user pool in one action, causing immediate authentication outages. Identities and configurations are lost, breaking sign-ins and tokens, harming availability and integrity, and prolonging recovery if exports/backups are stale.
prowler aws --checks cognito_user_pool_deletion_protection_enabled
Recommendation
Enable deletion protection (ACTIVE) on all production user pools.
- Enforce least privilege by restricting delete permissions
- Require change control and multi-party approval to deactivate protection
- Add monitoring and alerts for status changes as defense in depth
Remediation
aws cognito-idp update-user-pool --user-pool-id <example_resource_id> --deletion-protection ACTIVE
- Open the AWS Management Console and go to Amazon Cognito
- Click User pools and select your pool
- Go to Settings > Deletion protection
- Click Activate (or toggle On) and Save
Source Code
Resource Type
Other
References
- https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-deletion-protection.html
- https://repost.aws/questions/QUDX0aXegdThit0uD5kB_Fjw/cognito-user-pool-cannot-be-deleted-from-aws-console
- https://support.icompaas.com/support/solutions/articles/62000233677-ensure-cognito-user-pools-deletion-protection-enabled-to-prevent-accidental-deletion