Cognito user pool password policy requires at least one lowercase letter
cognito_user_pool_password_policy_lowercase
Amazon Cognito user pools are assessed for a password policy that includes a lowercase character requirement. Pools with require_lowercase set are distinguished from those without a policy, which inherently lack this requirement.
Risk
Absent a lowercase requirement reduces password complexity and the overall keyspace, making brute-force and credential stuffing more feasible. Successful guessing enables account takeover, exposing user data and tokens and permitting profile changes, harming confidentiality and integrity.
prowler aws --checks cognito_user_pool_password_policy_lowercase
Recommendation
Enforce a strong password policy with require_lowercase: true, adequate length, and mixed character types. Complement with defense in depth: enable MFA, apply rate limiting or lockout for failed attempts, and block common passwords. Review regularly to match business risk and user population.
Remediation
aws cognito-idp update-user-pool --user-pool-id <example_resource_id> --policies "PasswordPolicy={RequireLowercase=true}"
- Open the Amazon Cognito console and go to User pools
- Select your user pool
- Navigate to Authentication (or Authentication methods) > Password policy
- Enable Require lowercase (Lowercase letters)
- Click Save changes
Source Code
Resource Type
Other