Ensure That Token Revocation Is Enabled for Amazon Cognito User Pools

Overview

This check verifies that Amazon Cognito user pool app clients have token revocation enabled. Token revocation allows you to invalidate refresh tokens and their derived access/ID tokens, effectively ending user sessions when needed.

Risk

Without token revocation enabled, stolen or residual refresh tokens remain valid until they naturally expire. This means:

• Session hijacking: A stolen token can be used even after the user signs out
• Unauthorized access: Deleted or disabled users may still access resources until tokens expire
• Compliance gaps: Many security frameworks require the ability to immediately terminate sessions

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to modify Cognito User Pools, or
• AWS CLI configured with appropriate IAM permissions

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-idp:DescribeUserPoolClient",
        "cognito-idp:UpdateUserPoolClient",
        "cognito-idp:ListUserPoolClients",
        "cognito-idp:ListUserPools"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Console and go to Amazon Cognito
2. Click User pools in the left navigation
3. Select the user pool you want to update
4. Click the App integration tab
5. Scroll down to App clients and analytics and click on the app client name
6. Click Edit in the App client information section
7. Scroll to Advanced authentication settings
8. Find Token revocation and ensure it is set to Enabled
9. Click Save changes

Repeat for each app client in your user pool.

AWS CLI (optional)

Enable Token Revocation via CLI

First, list your user pools to find the pool ID:

aws cognito-idp list-user-pools \
  --max-results 20 \
  --region us-east-1

Then list the app clients for that user pool:

aws cognito-idp list-user-pool-clients \
  --user-pool-id <USER_POOL_ID> \
  --region us-east-1

Enable token revocation for an app client:

aws cognito-idp update-user-pool-client \
  --user-pool-id <USER_POOL_ID> \
  --client-id <CLIENT_ID> \
  --enable-token-revocation \
  --region us-east-1

Important: The update-user-pool-client command replaces the entire configuration. If you only pass --enable-token-revocation, other settings may revert to defaults. To preserve existing settings, first describe the client, then include all current settings in your update command.

To safely update while preserving settings:

# Get current configuration
aws cognito-idp describe-user-pool-client \
  --user-pool-id <USER_POOL_ID> \
  --client-id <CLIENT_ID> \
  --region us-east-1 \
  --query 'UserPoolClient' > client-config.json

# Modify the JSON to set EnableTokenRevocation to true
# Then update using the modified config

CloudFormation (optional)

CloudFormation Template

Use this template to create a Cognito User Pool with token revocation enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with Token Revocation Enabled

Parameters:
  UserPoolName:
    Type: String
    Default: my-user-pool
    Description: Name of the Cognito User Pool

  AppClientName:
    Type: String
    Default: my-app-client
    Description: Name of the App Client

Resources:
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref UserPoolName

  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: !Ref AppClientName
      UserPoolId: !Ref UserPool
      EnableTokenRevocation: true
      RefreshTokenValidity: 30
      AccessTokenValidity: 1
      IdTokenValidity: 1
      TokenValidityUnits:
        RefreshToken: days
        AccessToken: hours
        IdToken: hours
      ExplicitAuthFlows:
        - ALLOW_REFRESH_TOKEN_AUTH
        - ALLOW_USER_SRP_AUTH

Outputs:
  UserPoolId:
    Description: The User Pool ID
    Value: !Ref UserPool
    Export:
      Name: !Sub '${AWS::StackName}-UserPoolId'

  UserPoolClientId:
    Description: The User Pool Client ID
    Value: !Ref UserPoolClient
    Export:
      Name: !Sub '${AWS::StackName}-UserPoolClientId'

Deploy the stack:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name cognito-secure-pool \
  --region us-east-1

Terraform (optional)

Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_cognito_user_pool" "main" {
  name = "my-user-pool"
}

resource "aws_cognito_user_pool_client" "main" {
  name                    = "my-app-client"
  user_pool_id            = aws_cognito_user_pool.main.id
  enable_token_revocation = true

  # Token validity settings
  refresh_token_validity = 30
  access_token_validity  = 1
  id_token_validity      = 1

  token_validity_units {
    refresh_token = "days"
    access_token  = "hours"
    id_token      = "hours"
  }

  explicit_auth_flows = [
    "ALLOW_REFRESH_TOKEN_AUTH",
    "ALLOW_USER_SRP_AUTH"
  ]
}

output "user_pool_id" {
  value = aws_cognito_user_pool.main.id
}

output "client_id" {
  value = aws_cognito_user_pool_client.main.id
}

Apply the configuration:

terraform init
terraform apply

Verification

After making changes, verify token revocation is enabled:

In the Console: Navigate to your app client and confirm Token revocation shows as Enabled under Advanced authentication settings.

CLI verification

aws cognito-idp describe-user-pool-client \
  --user-pool-id <USER_POOL_ID> \
  --client-id <CLIENT_ID> \
  --region us-east-1 \
  --query 'UserPoolClient.EnableTokenRevocation'

The output should be true.

To check all clients in a user pool:

# List all client IDs
CLIENT_IDS=$(aws cognito-idp list-user-pool-clients \
  --user-pool-id <USER_POOL_ID> \
  --region us-east-1 \
  --query 'UserPoolClients[].ClientId' \
  --output text)

# Check each client
for CLIENT_ID in $CLIENT_IDS; do
  echo "Client: $CLIENT_ID"
  aws cognito-idp describe-user-pool-client \
    --user-pool-id <USER_POOL_ID> \
    --client-id $CLIENT_ID \
    --region us-east-1 \
    --query 'UserPoolClient.EnableTokenRevocation'
done

Additional Resources

• Amazon Cognito User Pools App Clients
• Revoking Tokens
• AWS::Cognito::UserPoolClient CloudFormation Reference
• Terraform aws_cognito_user_pool_client Resource

Notes

• Apply to all app clients: Each user pool can have multiple app clients. Ensure token revocation is enabled on all clients, not just one.
• New clients default to enabled: As of recent AWS updates, new app clients have token revocation enabled by default. However, older clients may have it disabled.
• No service interruption: Enabling token revocation does not affect currently active sessions or require user re-authentication.
• Combine with short token lifetimes: For defense in depth, also consider reducing your access token validity period (e.g., 1 hour instead of the default).
• Implement sign-out properly: Token revocation only works when you call the RevokeToken or GlobalSignOut API. Ensure your application properly invokes these when users sign out.