Cognito User Pool Password Policy Requires at Least One Number
Overview
This check verifies that your Amazon Cognito user pool password policy requires users to include at least one numeric character (0-9) in their passwords. Requiring numbers is a fundamental password strength requirement that helps protect user accounts.
Risk
Without requiring numbers in passwords, your user pool is more vulnerable to:
- Brute force attacks - Simpler passwords are easier to guess
- Credential stuffing - Attackers try common passwords that often lack numbers
- Account takeover - Compromised accounts can access your protected APIs and data
A successful attack could lead to unauthorized access to user data and protected resources.
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify Cognito user pools, OR
- AWS CLI configured with appropriate permissions
Required IAM permissions
Your IAM user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool"
],
"Resource": "arn:aws:cognito-idp:*:*:userpool/*"
}
]
}
AWS Console Method
- Open the Amazon Cognito console
- Click User pools in the left navigation
- Select the user pool you want to update
- Click the Sign-in experience tab
- In the Password policy section, click Edit
- Under Password requirements, check the box for Requires at least one number
- Click Save changes
AWS CLI
Important: The update-user-pool command replaces the entire password policy configuration. First, retrieve your current settings to avoid overwriting other password requirements.
Step 1: Get current password policy
aws cognito-idp describe-user-pool \
--user-pool-id <your-user-pool-id> \
--region us-east-1 \
--query 'UserPool.Policies.PasswordPolicy'
Step 2: Update password policy to require numbers
If you want to require numbers while keeping other reasonable defaults:
aws cognito-idp update-user-pool \
--user-pool-id <your-user-pool-id> \
--region us-east-1 \
--policies '{
"PasswordPolicy": {
"MinimumLength": 8,
"RequireNumbers": true,
"RequireLowercase": true,
"RequireUppercase": true,
"RequireSymbols": false
}
}'
Replace <your-user-pool-id> with your actual user pool ID (format: us-east-1_xxxxxxxxx).
Minimal update (numbers only)
If you only want to enable the numbers requirement:
aws cognito-idp update-user-pool \
--user-pool-id <your-user-pool-id> \
--region us-east-1 \
--policies '{"PasswordPolicy":{"RequireNumbers":true}}'
Warning: This minimal command may reset other password policy settings to defaults. Always verify your full policy after making changes.
CloudFormation
Use this CloudFormation template to create or update a Cognito user pool with a password policy that requires numbers:
AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with password policy requiring numbers
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: example-user-pool
Policies:
PasswordPolicy:
MinimumLength: 8
RequireNumbers: true
RequireLowercase: true
RequireUppercase: true
RequireSymbols: false
Outputs:
UserPoolId:
Description: The ID of the Cognito User Pool
Value: !Ref CognitoUserPool
Deploy the template:
aws cloudformation deploy \
--template-file cognito-user-pool.yaml \
--stack-name cognito-secure-pool \
--region us-east-1
For existing user pools: If you need to update an existing user pool managed by CloudFormation, add or modify the RequireNumbers: true line in your existing template and redeploy the stack.
Terraform
Use this Terraform configuration to create or update a Cognito user pool with a password policy that requires numbers:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_cognito_user_pool" "example" {
name = "example-user-pool"
password_policy {
minimum_length = 8
require_numbers = true
require_lowercase = true
require_uppercase = true
require_symbols = false
}
}
output "user_pool_id" {
description = "The ID of the Cognito User Pool"
value = aws_cognito_user_pool.example.id
}
Deploy:
terraform init
terraform plan
terraform apply
For existing user pools: Add or update the require_numbers = true line in your existing password_policy block and run terraform apply.
Verification
After making changes, verify the password policy is correctly configured:
- In the AWS Console, go to your user pool and check the Sign-in experience tab
- Confirm that Requires at least one number shows as enabled under Password policy
CLI verification
aws cognito-idp describe-user-pool \
--user-pool-id <your-user-pool-id> \
--region us-east-1 \
--query 'UserPool.Policies.PasswordPolicy.RequireNumbers'
This should return true.
Re-run Prowler check:
prowler aws --checks cognito_user_pool_password_policy_number
The check should now pass for your user pool.
Additional Resources
- AWS Cognito User Pool Password Policies
- AWS Cognito Security Best Practices
- AWS CLI cognito-idp update-user-pool Reference
Notes
- Existing users are not affected: Changing the password policy only applies to new passwords. Existing users can continue using their current passwords until they change them.
- Consider a comprehensive policy: For better security, also enable requirements for lowercase letters, uppercase letters, and set a minimum length of at least 8 characters.
- Enable MFA: Password policies are one layer of defense. Consider enabling multi-factor authentication (MFA) for additional protection.
- Related checks: Prowler has similar checks for other password requirements (
cognito_user_pool_password_policy_lowercase,cognito_user_pool_password_policy_uppercase,cognito_user_pool_password_policy_symbol,cognito_user_pool_password_policy_minimum_length). Consider addressing all password policy checks together.