Check provider logo

Cognito user pool password policy requires at least one uppercase letter

cognito_user_pool_password_policy_uppercase

Severitymedium
Servicecognito
by Prowler
identity-access

Amazon Cognito user pool password policy is evaluated for an uppercase character requirement (require_uppercase). The check also identifies user pools that have no password policy configured.

Risk

Missing an uppercase requirement lowers password entropy, easing password spraying, brute force, and offline cracking. Account takeover risks user data (confidentiality), enables unauthorized changes (integrity), and may disrupt services through abuse or lockouts (availability).

Run this check with Prowler CLI

prowler aws --checks cognito_user_pool_password_policy_uppercase

Run in Prowler Cloud

Recommendation

Enforce a strong password policy requiring uppercase characters, sufficient minimum_length, and diverse character sets. Layer defenses: MFA, rate limiting/lockout, and password reuse history. Where feasible, prefer long passphrases and monitor authentication events to prevent account takeover.

Remediation

CLI

aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --policies PasswordPolicy={RequireUppercase=true}

Native IaC
Terraform
Other
  1. Open the Amazon Cognito console and go to User pools
  2. Select your user pool
  3. Go to Authentication methods (or Sign-in experience) > Password policy
  4. Check Requires at least one uppercase letter
  5. Click Save changes

Source Code

Resource Type

Other

References