Ensure Self Registration is Disabled for Amazon Cognito User Pools

Overview

This check verifies that self-service sign-up is disabled for Amazon Cognito User Pools. When self-registration is enabled, anyone can create an account in your user pool without administrator approval. Disabling self-registration ensures that only administrators can create user accounts, giving you full control over who can access your application.

Risk

When self-registration is enabled, untrusted users can sign up for accounts without any verification or approval process. This creates several security risks:

• Unauthorized access: Anyone can create an account and potentially access your application
• Resource abuse: Bad actors could create many accounts to consume resources or harvest tokens
• Lateral movement: Authenticated users may gain access to connected identity pools and assume roles with elevated permissions
• Mass registration attacks: Automated bots could flood your user pool with fake accounts

Remediation Steps

Prerequisites

You need access to your AWS account with permissions to modify Cognito User Pools. You can use either the AWS Console (recommended for most users) or the AWS CLI.

Setting up AWS CLI (if needed)

If you prefer using the command line, ensure you have:

1. AWS CLI installed (installation guide)
2. Credentials configured with aws configure
3. Permissions for cognito-idp:UpdateUserPool

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to Amazon Cognito (search for "Cognito" in the search bar)
3. Click User pools in the left navigation
4. Select the user pool you want to modify
5. Click the Sign-up experience tab
6. Under Self-service sign-up, click Edit
7. Uncheck Enable self-registration
8. Click Save changes

Important: After disabling self-registration, users can only be created by administrators. Make sure you have a process in place for onboarding new users.

AWS CLI Method

Run the following command, replacing <USER_POOL_ID> with your actual user pool ID:

aws cognito-idp update-user-pool \
    --user-pool-id <USER_POOL_ID> \
    --admin-create-user-config AllowAdminCreateUserOnly=true \
    --region us-east-1

Warning: The update-user-pool command can reset other settings if you don't include them. To preserve existing configuration, first describe the current settings:

aws cognito-idp describe-user-pool \
    --user-pool-id <USER_POOL_ID> \
    --region us-east-1

Then include any settings you want to preserve in your update command.

CloudFormation Template

Use this template to create a new Cognito User Pool with self-registration disabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with self-registration disabled

Resources:
  SecureUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: secure-user-pool
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
        InviteMessageTemplate:
          EmailMessage: "Your username is {username} and temporary password is {####}."
          EmailSubject: "Your temporary password"
          SMSMessage: "Your username is {username} and temporary password is {####}."

Outputs:
  UserPoolId:
    Description: The ID of the Cognito User Pool
    Value: !Ref SecureUserPool
  UserPoolArn:
    Description: The ARN of the Cognito User Pool
    Value: !GetAtt SecureUserPool.Arn

To deploy this template:

aws cloudformation create-stack \
    --stack-name secure-cognito-pool \
    --template-body file://template.yaml \
    --region us-east-1

Terraform Configuration

Use this Terraform configuration to create a Cognito User Pool with self-registration disabled:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_cognito_user_pool" "secure_pool" {
  name = "secure-user-pool"

  admin_create_user_config {
    allow_admin_create_user_only = true

    invite_message_template {
      email_message = "Your username is {username} and temporary password is {####}."
      email_subject = "Your temporary password"
      sms_message   = "Your username is {username} and temporary password is {####}."
    }
  }

  tags = {
    Environment = "production"
  }
}

output "user_pool_id" {
  description = "The ID of the Cognito User Pool"
  value       = aws_cognito_user_pool.secure_pool.id
}

output "user_pool_arn" {
  description = "The ARN of the Cognito User Pool"
  value       = aws_cognito_user_pool.secure_pool.arn
}

To apply this configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that self-registration is disabled:

1. In the AWS Console, navigate to your user pool
2. Click the Sign-up experience tab
3. Confirm that Self-service sign-up shows as disabled

CLI Verification

Run this command to check the current configuration:

aws cognito-idp describe-user-pool \
    --user-pool-id <USER_POOL_ID> \
    --query 'UserPool.AdminCreateUserConfig.AllowAdminCreateUserOnly' \
    --region us-east-1

The output should be true, indicating that only administrators can create users.

Additional Resources

• AWS Cognito User Pool Documentation
• Managing Users in User Pools
• Admin Create User Config Settings
• Prowler Check Documentation

Notes

• Existing users are not affected: Disabling self-registration does not remove or disable existing user accounts.
• Plan for user onboarding: Before disabling self-registration, ensure you have a process for administrators to create new user accounts when needed.
• Consider alternatives: If you need some level of self-service registration, consider implementing:
  • Email or phone verification requirements
  • Multi-factor authentication (MFA)
  • CAPTCHA or bot protection
  • Manual approval workflows
• Compliance: This check maps to the KISA-ISMS-P framework for Korean information security management.