Amazon Cognito user pool has self registration disabled
cognito_user_pool_self_registration_disabled
Amazon Cognito user pools are evaluated for self-service sign-up. The expected configuration is AllowAdminCreateUserOnly=true so only administrators create accounts.
When self sign-up is allowed, the check also highlights any linked identity pools and the authenticated role(s) that new users could assume.
Risk
Open sign-up lets untrusted users gain authenticated identities, potentially assuming identity pool roles. This can expose data (confidentiality), enable unauthorized actions (integrity), and drive abuse or cost via resource use (availability). Mass registrations and token harvesting increase the chance of lateral access.
prowler aws --checks cognito_user_pool_self_registration_disabled
Recommendation
Enforce admin-only user creation. If self sign-up is necessary, require verification, MFA, and bot protections; restrict app clients. Apply least privilege to any roles for authenticated users and minimize scopes. Use approval/invite flows, add rate limits, monitor sign-ups, and audit access for defense in depth.
Remediation
aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --admin-create-user-config AllowAdminCreateUserOnly=true
- Open the AWS Console and go to Amazon Cognito > User pools
- Select the user pool
- Go to the Sign-up tab
- In Self-service sign-up, click Edit and disable (uncheck) Enable self-registration
- Click Save changes
Source Code
Resource Type
Other
References