Profile Applicability:

  • Level 1

Description:

Amazon Cognito provides authentication, authorization, and user management services for applications. Password policies for Cognito user pools define the rules for creating secure passwords. Requiring at least one lowercase letter in user passwords is an important aspect of ensuring strong password policies and enhancing security. This SOP ensures that the Cognito user pool password policy requires at least one lowercase letter in every user's password.

Rationale:

  • Security: Requiring at least one lowercase letter helps prevent users from choosing simple or predictable passwords, thereby increasing the overall password complexity and reducing the risk of unauthorized access.

  • Compliance: Many security and compliance frameworks (e.g., SOC 2, HIPAA, PCI-DSS) require strong password policies that include the use of lowercase letters as part of a broader set of password complexity rules.

  • Best Practices: Requiring lowercase letters, along with other character types (numbers, symbols), adheres to security best practices for password strength.

Impact:

Pros:

  • Enhanced Security: Password complexity increases with the requirement for at least one lowercase letter, making it harder for attackers to guess or crack passwords.

  • Compliance: Ensures the user pool complies with strong password policies for regulatory and security frameworks.

  • Preventing Weak Passwords: Reduces the chance of users selecting weak, easily guessable passwords.

Cons:

  • User Frustration: Some users may find complex password requirements inconvenient, especially if they are not familiar with how to create strong passwords.

  • Support Overhead: May increase the need for password reset requests from users who have difficulty complying with the policy.

Default Value:

By default, Cognito User Pools do not enforce the use of a lowercase letter in the password policy. The requirement must be explicitly added to the password policy.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. Select User Pools and choose the user pool you want to check.

  4. Under General settings, select Password policy.

  5. Ensure that the Require at least one lowercase letter option is selected.

    • If the option is selected, the password policy will enforce the use of lowercase letters.

    • If the option is not selected, proceed to enable it as per the Implementation Steps below.

Using AWS CLI:

  1. To describe the Cognito user pool and check the password policy, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  2. Verify that the RequireLowercase field is set to true:

    {

    "MinimumLength": 8,
    "RequireUppercase": true,
    "RequireLowercase": true,
    "RequireNumbers": true,
    "RequireSymbols": true

}

  1. If RequireLowercase is false, follow the Implementation Steps to enable the requirement.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon Cognito.

  2. In the Cognito Console, select User Pools and choose the user pool you want to update.

  3. Under General settings, select Password policy.

  4. Enable the Require at least one lowercase letter checkbox.

  5. Save the changes to enforce the updated password policy.

Using AWS CLI:

  1. To update the user pool password policy and require at least one lowercase letter, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --policies '{"PasswordPolicy": {"RequireLowercase": true}}'

  2. Verify the change by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy.RequireLowercase'

  3. Ensure that the output shows true for RequireLowercase.

Backout Plan:

Using AWS Console:

  1. If the password policy changes cause issues, navigate to the User Pool in the AWS Cognito Console.

  2. Under General Settings, go to Policies.

  3. Deselect Require at least one lowercase letter.

  4. Save the changes.

Using AWS CLI:

  1. To disable the requirement for at least one lowercase letter, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --password-policy "MinLowercase=0,MinimumLength=8,RequireUppercase=true,RequireNumbers=true" --region <REGION>

  2. Verify the changes:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.