Ensure Cognito User Pool Has Password Policy to Require at Least One Lowercase Letter

Overview

This check validates that your Amazon Cognito user pools enforce a password policy requiring at least one lowercase letter. Strong password policies help protect user accounts from unauthorized access.

Risk

Without requiring lowercase letters, passwords become easier for attackers to guess or crack through brute-force attacks. Weak passwords can lead to:

• Account takeover by malicious actors
• Unauthorized access to user data and authentication tokens
• Compromised user profiles and sensitive information

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Cognito user pools, OR
• AWS CLI installed and configured with appropriate credentials

AWS Console Method

1. Open the Amazon Cognito console
2. Select the user pool you want to update
3. Click on the Sign-in experience tab
4. Scroll down to Password policy and click Edit
5. Under Password requirements, check the box for Requires lowercase
6. Click Save changes

AWS CLI (optional)

Use the following command to update your user pool's password policy to require lowercase letters.

Important: The update-user-pool command can reset other settings to defaults if not specified. First, retrieve your current configuration, then apply the update.

Get current user pool configuration:

aws cognito-idp describe-user-pool \
  --user-pool-id <your-user-pool-id> \
  --region us-east-1 \
  --query 'UserPool.Policies.PasswordPolicy'

Update the password policy:

aws cognito-idp update-user-pool \
  --user-pool-id <your-user-pool-id> \
  --region us-east-1 \
  --policies "PasswordPolicy={MinimumLength=8,RequireLowercase=true,RequireUppercase=true,RequireNumbers=true,RequireSymbols=true}"

Replace <your-user-pool-id> with your actual user pool ID (format: us-east-1_xxxxxxxxx).

CloudFormation (optional)

Use this CloudFormation template to create a Cognito User Pool with a strong password policy that includes the lowercase requirement.

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with lowercase password requirement

Parameters:
  UserPoolName:
    Type: String
    Default: MyUserPool
    Description: Name for the Cognito User Pool

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Ref UserPoolName
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireUppercase: true
          RequireNumbers: true
          RequireSymbols: true

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref CognitoUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt CognitoUserPool.Arn

Deploy the template:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name cognito-secure-pool \
  --region us-east-1

Terraform (optional)

Use this Terraform configuration to create or update a Cognito User Pool with the lowercase password requirement.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "user_pool_name" {
  description = "Name for the Cognito User Pool"
  type        = string
  default     = "my-user-pool"
}

resource "aws_cognito_user_pool" "main" {
  name = var.user_pool_name

  password_policy {
    minimum_length                   = 8
    require_lowercase                = true
    require_uppercase                = true
    require_numbers                  = true
    require_symbols                  = true
    temporary_password_validity_days = 7
  }

  tags = {
    Environment = "production"
  }
}

output "user_pool_id" {
  description = "The ID of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.id
}

output "user_pool_arn" {
  description = "The ARN of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that the password policy now requires lowercase letters:

1. In the AWS Console, navigate to your user pool and check the Sign-in experience tab
2. Under Password policy, confirm that Requires lowercase is enabled

CLI verification

aws cognito-idp describe-user-pool \
  --user-pool-id <your-user-pool-id> \
  --region us-east-1 \
  --query 'UserPool.Policies.PasswordPolicy.RequireLowercase'

The output should be true.

Additional Resources

• Amazon Cognito Password Management
• User Pool Settings and Policies
• Prowler Check Documentation

Notes

• Existing users are not affected: Changing the password policy only applies to new passwords. Existing users can continue using their current passwords until they change them.
• Consider all password requirements: For strong security, enable all password complexity requirements (lowercase, uppercase, numbers, and symbols) along with an appropriate minimum length (at least 8 characters).
• Enable MFA: Password policies work best when combined with multi-factor authentication (MFA) for additional account protection.
• Defense in depth: Consider implementing rate limiting, account lockout policies, and blocking common passwords for comprehensive protection.