Ensure Cognito User Pool Password Policy Requires Uppercase Letters

Overview

This check verifies that your Amazon Cognito user pools require at least one uppercase letter in user passwords. Strong password policies are a fundamental security control that helps protect user accounts from unauthorized access.

Risk

Without uppercase character requirements, passwords become easier to guess or crack through brute force attacks. Weak passwords can lead to:

• Account takeover and unauthorized access
• Data breaches affecting your users
• Compliance violations for security standards

Severity: Medium

Remediation Steps

Prerequisites

You need permission to modify Cognito user pools in your AWS account. Specifically, you need the cognito-idp:UpdateUserPool permission.

AWS Console Method

1. Open the Amazon Cognito console
2. Choose User pools from the left navigation
3. Select the user pool you want to update
4. Go to the Sign-in experience tab
5. Under Password policy, click Edit
6. Check the box for Requires at least one uppercase letter
7. Click Save changes

AWS CLI Method

Update an existing user pool to require uppercase letters:

aws cognito-idp update-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1 \
    --policies PasswordPolicy="{MinimumLength=8,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true}"

Replace <your-user-pool-id> with your actual user pool ID (format: us-east-1_xxxxxxxxx).

Important: The update-user-pool command sets attributes to defaults if not specified. Always include all password policy settings you want to preserve.

To first check your current password policy:

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1 \
    --query 'UserPool.Policies.PasswordPolicy'

CloudFormation Template

Use this template to create a new user pool with a strong password policy, or update an existing stack:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with password policy requiring uppercase letters

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: SecureUserPool
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireUppercase: true
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
      MfaConfiguration: 'OFF'
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref CognitoUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt CognitoUserPool.Arn

Deploy the template:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name cognito-secure-pool \
    --region us-east-1

Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_cognito_user_pool" "main" {
  name = "secure-user-pool"

  password_policy {
    minimum_length                   = 8
    require_uppercase                = true
    require_lowercase                = true
    require_numbers                  = true
    require_symbols                  = true
    temporary_password_validity_days = 7
  }

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }

  tags = {
    Environment = "production"
  }
}

output "user_pool_id" {
  description = "The ID of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.id
}

output "user_pool_arn" {
  description = "The ARN of the Cognito User Pool"
  value       = aws_cognito_user_pool.main.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that uppercase letters are now required:

1. In the AWS Console, navigate to your user pool and check the Sign-in experience tab
2. Confirm that "Requires at least one uppercase letter" is enabled

CLI Verification

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1 \
    --query 'UserPool.Policies.PasswordPolicy.RequireUppercase'

This should return true.

Additional Resources

• AWS Cognito User Pool Settings and Policies
• Password Policy Best Practices
• Prowler Check Documentation

Notes

• Existing users are not affected: Changing the password policy only applies to new passwords. Existing users can continue using their current passwords until they change them.
• Consider all password requirements together: For best security, enable all password complexity requirements (uppercase, lowercase, numbers, symbols) and set an appropriate minimum length (8+ characters recommended).
• Layer your defenses: Password policies are just one layer. Consider also enabling MFA, setting up account lockout policies, and monitoring for suspicious sign-in activity.
• Compliance frameworks: This control helps satisfy requirements in C5, KISA-ISMS-P, and NIS2 frameworks.