Enable Cognito User Pool Deletion Protection

Overview

This check verifies that Amazon Cognito user pools have deletion protection enabled. Deletion protection prevents accidental or unauthorized deletion of your user pool, which stores critical user identity and authentication data.

By default, deletion protection is disabled on new user pools.

Risk

Without deletion protection, anyone with sufficient IAM permissions can permanently delete a user pool in a single action. This can cause:

Immediate authentication outages - All users lose the ability to sign in
Permanent data loss - User identities, passwords, and configurations are gone
Application downtime - Any app relying on the pool breaks immediately
Difficult recovery - Restoring requires backups that may be stale or nonexistent

Remediation Steps

Prerequisites

You need:

Access to the AWS Console with permissions to modify Cognito user pools, OR
AWS CLI configured with appropriate credentials

AWS Console Method

Open the Amazon Cognito console
Select User pools from the left navigation
Click on the user pool you want to protect
Select the User pool properties tab
In the Deletion protection section, click Edit
Toggle deletion protection to Active
Click Save changes

AWS CLI (optional)

Enable Deletion Protection

aws cognito-idp update-user-pool \
    --user-pool-id <your-user-pool-id> \
    --deletion-protection ACTIVE \
    --region us-east-1

Replace <your-user-pool-id> with your actual user pool ID (format: us-east-1_xxxxxxxxx).

Find Your User Pool ID

If you need to find your user pool ID:

aws cognito-idp list-user-pools \
    --max-results 60 \
    --region us-east-1

Important Note

The update-user-pool command can reset other settings to defaults if not specified. To preserve existing settings, first describe the pool and include relevant parameters in your update:

# Get current configuration
aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1

CloudFormation (optional)

CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with deletion protection enabled

Parameters:
  UserPoolName:
    Type: String
    Description: Name of the Cognito User Pool
    Default: my-user-pool

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref UserPoolName
      DeletionProtection: ACTIVE

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref CognitoUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt CognitoUserPool.Arn

Deploy the Template

aws cloudformation deploy \
    --template-file cognito-user-pool.yaml \
    --stack-name cognito-user-pool-stack \
    --region us-east-1

Update Existing Stack

If you have an existing CloudFormation-managed user pool, add the DeletionProtection: ACTIVE property to your template and update the stack.

Terraform (optional)

Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "user_pool_name" {
  description = "Name of the Cognito User Pool"
  type        = string
  default     = "my-user-pool"
}

resource "aws_cognito_user_pool" "main" {
  name                = var.user_pool_name
  deletion_protection = "ACTIVE"
}

output "user_pool_id" {
  description = "The ID of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.id
}

output "user_pool_arn" {
  description = "The ARN of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.arn
}

Apply the Configuration

terraform init
terraform plan
terraform apply

Update Existing Resource

If you already manage a Cognito user pool with Terraform, add the deletion_protection = "ACTIVE" argument to your existing resource and run terraform apply.

Verification

After enabling deletion protection, confirm it is active:

In the AWS Console, go to your user pool and check the User pool properties tab
The Deletion protection status should show Active

Verify with AWS CLI

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --query 'UserPool.DeletionProtection' \
    --region us-east-1

The output should be:

"ACTIVE"

Additional Resources

Notes

No service interruption: Enabling deletion protection does not affect user pool operations or user sign-ins.
Can be disabled: If you need to delete a user pool, you must first disable deletion protection. This is intentional to prevent accidental deletion.
IAM permissions still apply: Deletion protection adds a safeguard but does not replace proper IAM permission management. Follow least privilege principles for who can modify user pool settings.
Compliance frameworks: This control supports C5 and KISA-ISMS-P compliance requirements.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Enable Deletion Protection​

Find Your User Pool ID​

Important Note​

CloudFormation Template​

Deploy the Template​

Update Existing Stack​

Terraform Configuration​

Apply the Configuration​

Update Existing Resource​

Verification​

Additional Resources​

Notes​