Ensure Temporary Password Expiration is 7 Days or Less

Overview

This check verifies that your Amazon Cognito user pools have temporary passwords configured to expire within 7 days or fewer. Temporary passwords are issued by administrators when creating new user accounts or resetting passwords. A shorter expiration window reduces the risk of these credentials being misused.

Risk

When temporary passwords remain valid for too long, you increase the window for potential misuse:

• An attacker who intercepts or obtains a temporary password has more time to use it
• Unused temporary passwords could be discovered and exploited later
• Users may delay changing their password, leaving accounts in a vulnerable state

Setting expiration to 7 days or less ensures temporary credentials are short-lived and encourages users to complete their account setup promptly.

Remediation Steps

Prerequisites

You need permission to modify Cognito user pool settings. This typically requires the cognito-idp:UpdateUserPool IAM permission.

AWS Console Method

1. Open the Amazon Cognito console
2. Select User pools from the left navigation
3. Click on the user pool you want to update
4. Go to the Sign-in experience tab
5. Under Password policy, click Edit
6. Find Temporary passwords set by administrators expire in
7. Set the value to 7 days or fewer
8. Click Save changes

AWS CLI (optional)

Use the update-user-pool command to set the temporary password validity period:

aws cognito-idp update-user-pool \
    --user-pool-id <your-user-pool-id> \
    --policies "PasswordPolicy={TemporaryPasswordValidityDays=7}" \
    --region us-east-1

Replace <your-user-pool-id> with your actual user pool ID (e.g., us-east-1_AbCdEfGhI).

Important: The update-user-pool command replaces the entire configuration. To preserve existing settings, first retrieve your current configuration:

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1

Then include all existing settings in your update command along with the new TemporaryPasswordValidityDays value.

CloudFormation (optional)

Add or update the TemporaryPasswordValidityDays property in your user pool's password policy:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool with secure temporary password expiration

Resources:
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: MySecureUserPool
      Policies:
        PasswordPolicy:
          TemporaryPasswordValidityDays: 7
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true

Deploy using:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name my-cognito-stack \
    --region us-east-1

Terraform (optional)

Configure the password_policy block with temporary_password_validity_days:

resource "aws_cognito_user_pool" "example" {
  name = "example-user-pool"

  password_policy {
    temporary_password_validity_days = 7
    minimum_length                   = 8
    require_lowercase                = true
    require_numbers                  = true
    require_symbols                  = true
    require_uppercase                = true
  }
}

Verification

After making changes, confirm the setting is applied:

1. In the Cognito console, navigate to your user pool
2. Go to the Sign-in experience tab
3. Under Password policy, verify that Temporary passwords set by administrators expire in shows 7 days or less

CLI Verification

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --query 'UserPool.Policies.PasswordPolicy.TemporaryPasswordValidityDays' \
    --region us-east-1

The output should be 7 or less.

Additional Resources

• AWS Cognito User Pool Settings and Policies
• Managing Users in User Pools
• AWS CLI cognito-idp Reference

Notes

• Best practice: Set temporary password expiration to 7 days or less. While AWS allows up to 365 days, shorter periods reduce security risk.
• User experience: If users frequently miss the expiration window, consider improving your onboarding communication rather than extending the expiration period.
• MFA recommendation: Enable multi-factor authentication (MFA) for additional security during the initial sign-in process.
• Compliance: This control aligns with C5 and KISA-ISMS-P compliance frameworks.