Cognito user pool password policy requires at least one symbol
cognito_user_pool_password_policy_symbol
Amazon Cognito user pool password policy includes a symbol requirement for user passwords.
Assesses the presence of a policy and whether require_symbols is configured.
Risk
Absent a symbol requirement, passwords have lower entropy, increasing success of brute force and credential stuffing.
Compromised accounts enable unauthorized token issuance, data access, and profile changes, impacting confidentiality and integrity across apps relying on the pool.
prowler aws --checks cognito_user_pool_password_policy_symbol
Recommendation
Enforce a strong password complexity policy with require_symbols=true, adequate length, and mixed character sets. Combine with MFA, throttling or lockout, and credential hygiene to reduce takeover risk. Apply defense in depth and least privilege to limit blast radius if an account is compromised.
Remediation
aws cognito-idp update-user-pool --user-pool-id <example_resource_id> --policies "PasswordPolicy={RequireSymbols=true}"
- Open the Amazon Cognito console and go to User pools
- Select the target user pool
- Go to Authentication (or Sign-in experience) > Password policy
- Enable Require special characters (Require symbols)
- Click Save changes
Source Code
Resource Type
Other