Skip to main content

Ensure Cognito User Pool Password Policy Requires Minimum Length of 14

Overview

This check verifies that your Amazon Cognito user pools enforce a minimum password length of 14 characters. Strong password requirements are a fundamental security control that protects user accounts from unauthorized access.

Risk

When password policies allow short passwords, user accounts become vulnerable to:

  • Brute force attacks: Shorter passwords have fewer possible combinations, making them faster to crack
  • Password spraying: Attackers try common short passwords across many accounts
  • Credential stuffing: Compromised passwords from other breaches are often short and simple

A successful account compromise can lead to data exposure, unauthorized actions, and potential access to connected systems.

Remediation Steps

Prerequisites

You need access to your AWS account with permissions to modify Cognito user pools. Specifically, you need the cognito-idp:UpdateUserPool permission.

Required IAM permissions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cognito-idp:DescribeUserPool",
        "cognito-idp:UpdateUserPool"
      ],
      "Resource": "arn:aws:cognito-idp:us-east-1:*:userpool/*"
    }
  ]
}

AWS Console Method

  1. Open the Amazon Cognito console
  2. Choose User pools from the left navigation
  3. Select the user pool you want to update
  4. Go to the Sign-in experience tab
  5. Under Password policy, click Edit
  6. Set Minimum password length to 14 (or higher)
  7. Optionally enable other requirements (uppercase, lowercase, numbers, symbols)
  8. Click Save changes
AWS CLI (optional)

First, identify your user pool ID:

aws cognito-idp list-user-pools --max-results 10 --region us-east-1

Update the password policy to require a minimum length of 14:

aws cognito-idp update-user-pool \
  --user-pool-id <your-user-pool-id> \
  --policies "PasswordPolicy={MinimumLength=14,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true}" \
  --region us-east-1

Replace <your-user-pool-id> with your actual user pool ID (e.g., us-east-1_ABC123xyz).

Important: The update-user-pool command will reset any unspecified settings to their defaults. If you have custom configurations (MFA, email settings, etc.), include them in your command or use the console method.

To preserve existing settings, first describe the current configuration:

aws cognito-idp describe-user-pool \
  --user-pool-id <your-user-pool-id> \
  --region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with strong password policy

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: MySecureUserPool
      Policies:
        PasswordPolicy:
          MinimumLength: 14
          RequireLowercase: true
          RequireUppercase: true
          RequireNumbers: true
          RequireSymbols: true

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref CognitoUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt CognitoUserPool.Arn

Deploy the template:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name cognito-secure-pool \
  --region us-east-1
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_cognito_user_pool" "example" {
  name = "my-secure-user-pool"

  password_policy {
    minimum_length                   = 14
    require_lowercase                = true
    require_uppercase                = true
    require_numbers                  = true
    require_symbols                  = true
    temporary_password_validity_days = 7
  }
}

output "user_pool_id" {
  description = "The ID of the Cognito User Pool"
  value       = aws_cognito_user_pool.example.id
}

output "user_pool_arn" {
  description = "The ARN of the Cognito User Pool"
  value       = aws_cognito_user_pool.example.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify the password policy is correctly configured:

  1. In the Cognito console, select your user pool
  2. Go to the Sign-in experience tab
  3. Confirm the Minimum password length shows 14 or higher
CLI verification
aws cognito-idp describe-user-pool \
  --user-pool-id <your-user-pool-id> \
  --query 'UserPool.Policies.PasswordPolicy' \
  --region us-east-1

Expected output should show MinimumLength of 14 or greater:

{
    "MinimumLength": 14,
    "RequireUppercase": true,
    "RequireLowercase": true,
    "RequireNumbers": true,
    "RequireSymbols": true
}

Additional Resources

Notes

  • Existing users are not affected: Changing the password policy only applies to new passwords. Existing users can continue using their current passwords until they change them.
  • Consider user experience: While longer passwords are more secure, ensure your users understand the requirements. Consider providing password strength feedback in your application.
  • Pair with MFA: A strong password policy is most effective when combined with multi-factor authentication (MFA).
  • Password history: Consider enabling password history to prevent users from reusing recent passwords.
  • Compliance frameworks: This control helps meet requirements in C5, KISA-ISMS-P, and NIS2 compliance frameworks.