Cognito user pool has temporary password expiration set to 7 days or less
cognito_user_pool_temporary_password_expiration
Amazon Cognito user pools use administrator-issued temporary passwords. This evaluates whether a user pool defines a password policy and sets the temporary password validity to 7 days or fewer.
Risk
Long-lived temporary passwords or an absent policy expand the window for credential reuse or interception. An attacker who obtains a temp password can complete first sign-in and set a new secret, enabling account takeover, unauthorized data access, and changes that impact confidentiality and integrity.
prowler aws --checks cognito_user_pool_temporary_password_expiration
Recommendation
Define a password policy with temporary password validity <= 7 days (use the shortest practical). Require change on first sign-in, enable MFA during enrollment, and deliver secrets via secure channels. Apply least privilege and revoke or reissue unused temporary credentials promptly.
Remediation
aws cognito-idp update-user-pool --user-pool-id <example_resource_id> --policies "PasswordPolicy={TemporaryPasswordValidityDays=7}"
- Open the Amazon Cognito console and select User pools
- Choose your user pool
- Go to Authentication (or Authentication methods) > Password policy
- Set Temporary passwords set by administrators expire in to 7 (or fewer) days
- Click Save changes
Source Code
Resource Type
Other