Block Sign-In with Compromised Credentials in Amazon Cognito

Overview

This check verifies that Amazon Cognito User Pools have threat protection enabled with advanced security set to ENFORCED and that compromised credentials policies apply a BLOCK action to sign-in attempts.

Amazon Cognito can detect when users attempt to sign in with passwords that have been exposed in data breaches. When this feature is enabled and set to block, Cognito will prevent these risky sign-ins automatically.

Risk

Allowing sign-in with leaked or reused passwords enables account takeover attacks. This can expose user tokens and profile data (confidentiality), permit unauthorized changes to user accounts (integrity), and enable abuse of linked APIs and sessions (availability impacts through misuse or lockout).

Remediation Steps

Prerequisites

You need permission to modify Amazon Cognito User Pools. Your user pool must be on the Plus tier to use threat protection features.

About Cognito tiers

Amazon Cognito User Pools has two tiers:

• Essentials: Basic authentication features
• Plus: Includes advanced security features like threat protection and compromised credentials detection

If your user pool is on the Essentials tier, you will need to upgrade to Plus before enabling these features. This may affect pricing.

AWS Console Method

1. Open the Amazon Cognito console
2. Choose User pools from the left navigation
3. Select the user pool you want to secure
4. Choose the Threat protection tab
5. If threat protection is not active, choose Activate threat protection
6. Set Enforcement mode to Full function (this enables advanced security in ENFORCED mode)
7. Under Compromised credentials, ensure Sign-in is checked in the Event detection section
8. Set the Action to Block sign-in
9. Choose Save changes

AWS CLI (optional)

Enabling threat protection requires two steps: enabling advanced security mode on the user pool and configuring the risk settings.

Step 1: Enable advanced security mode

First, update the user pool to enable advanced security:

aws cognito-idp update-user-pool \
    --user-pool-id <your-user-pool-id> \
    --user-pool-add-ons AdvancedSecurityMode=ENFORCED \
    --region us-east-1

Step 2: Configure compromised credentials blocking

Then, set the risk configuration to block sign-ins with compromised credentials:

aws cognito-idp set-risk-configuration \
    --user-pool-id <your-user-pool-id> \
    --compromised-credentials-risk-configuration '{
        "EventFilter": ["SIGN_IN"],
        "Actions": {
            "EventAction": "BLOCK"
        }
    }' \
    --region us-east-1

Replace <your-user-pool-id> with your actual user pool ID (format: us-east-1_xxxxxxxxx).

Important: The update-user-pool command will reset any unspecified parameters to defaults. To preserve existing settings, first describe the user pool and include all current configuration in your update command:

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1

CloudFormation (optional)

Use this CloudFormation template to create a new Cognito User Pool with advanced security enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with Advanced Security and Compromised Credentials Protection

Parameters:
  UserPoolName:
    Type: String
    Default: secure-user-pool
    Description: Name for the Cognito User Pool

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref UserPoolName
      UserPoolAddOns:
        AdvancedSecurityMode: ENFORCED
      Policies:
        PasswordPolicy:
          MinimumLength: 12
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref CognitoUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt CognitoUserPool.Arn

Note: CloudFormation does not directly support configuring the compromised credentials risk configuration through AWS::Cognito::UserPool. After deploying the stack, you will need to configure the risk settings using the AWS Console or CLI.

Terraform (optional)

Use these Terraform resources to create a Cognito User Pool with advanced security and compromised credentials blocking:

resource "aws_cognito_user_pool" "example" {
  name = "secure-user-pool"

  user_pool_add_ons {
    advanced_security_mode = "ENFORCED"
  }

  password_policy {
    minimum_length    = 12
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }
}

resource "aws_cognito_risk_configuration" "example" {
  user_pool_id = aws_cognito_user_pool.example.id

  compromised_credentials_risk_configuration {
    actions {
      event_action = "BLOCK"
    }
    event_filter = ["SIGN_IN"]
  }
}

This configuration:

• Creates a user pool with advanced security in ENFORCED mode
• Configures compromised credentials detection for sign-in events
• Blocks sign-in attempts when compromised credentials are detected

Verification

After making changes, verify the configuration is correct:

1. In the Cognito console, go to your user pool
2. Choose the Threat protection tab
3. Confirm that:
   • Threat protection shows as Active
   • Enforcement mode is set to Full function
   • Under Compromised credentials, Sign-in is selected and Action is Block sign-in

Verify with AWS CLI

Check the user pool's advanced security mode:

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --query 'UserPool.UserPoolAddOns' \
    --region us-east-1

Expected output:

{
    "AdvancedSecurityMode": "ENFORCED"
}

Check the risk configuration:

aws cognito-idp describe-risk-configuration \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1

Verify the output includes:

{
    "RiskConfiguration": {
        "CompromisedCredentialsRiskConfiguration": {
            "EventFilter": ["SIGN_IN"],
            "Actions": {
                "EventAction": "BLOCK"
            }
        }
    }
}

Additional Resources

• Amazon Cognito threat protection
• Compromised credentials detection
• Cognito User Pool pricing
• Prowler Check Documentation

Notes

• Pricing impact: Advanced security features require the Plus tier, which has different pricing than the Essentials tier. Review the pricing page before enabling.
• User experience: When a user's credentials are blocked, they will receive an error message. Consider having a clear password reset flow available.
• Defense in depth: For comprehensive protection, combine threat protection with MFA, strong password policies, and monitoring of security logs.
• Audit mode alternative: If you want to monitor without blocking, you can set the enforcement mode to "Audit-only" first to evaluate the impact before switching to full enforcement.