Profile Applicability:

  • Level 1

Description:

Amazon Cognito provides user authentication and access control services. Password policies for Cognito user pools define the rules for user passwords, ensuring they are complex enough to protect user accounts. A strong password policy is critical for preventing unauthorized access. Requiring at least one symbol in the password is a key part of a robust password policy, as it increases the password complexity and reduces the likelihood of weak or easily guessable passwords.

Rationale:

  • Security: Requiring symbols in passwords ensures that users choose passwords that are harder to guess, helping to prevent brute force and dictionary attacks.

  • Compliance: Many security and compliance frameworks (e.g., SOC 2, HIPAA, PCI-DSS) require strong password policies that include special characters to meet security standards.

  • Best Practices: Enforcing strong password policies, including the use of symbols, is part of the industry’s recommended best practices for securing user authentication.

Impact:

Pros:

  • Increased Security: A password policy that requires symbols enhances password complexity and strengthens overall account security.

  • Compliance: Helps organizations meet the password complexity requirements for regulatory standards and best practices.

  • Prevention of Weak Passwords: Limits the use of easily guessable passwords, such as simple dictionary words.

Cons:

  • User Frustration: Some users may find complex password requirements difficult to remember or inconvenient, especially if they are not familiar with creating strong passwords.

  • Operational Overhead: Additional user education or support may be required to help users understand the password policy.

Default Value:

By default, Amazon Cognito does not require symbols in user pool passwords. The password policy can be configured to require symbols manually.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool created and operational.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. Select User Pools and choose the user pool you want to check.

  4. Under General settings, select Password policy.

  5. Verify if the Require at least one symbol option is enabled.

    • If it is enabled, it will show as "Required".

    • If it is not enabled, you will need to modify the policy.

  6. If the policy is not enabled, follow the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the Cognito user pool and check the password policy, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  2. In the output, verify that the RequireSymbols field is set to true:

    {
    "MinimumLength": 8,
    "RequireUppercase": true,
    "RequireLowercase": true,
    "RequireNumbers": true,
    "RequireSymbols": true
}

  1. If RequireSymbols is false, run the following command to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito.

  3. In the Cognito Console, select User Pools and choose the user pool you want to update.

  4. Under General settings, select Password policy.

  5. Enable the Require at least one symbol checkbox.

  6. Save the changes to enforce the updated password policy.

Using AWS CLI:

  1. To update the user pool password policy and require at least one symbol, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --policies '{"PasswordPolicy": {"RequireSymbols": true}}

  2. Verify that the change was applied by describing the user pool again:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy.RequireSymbols

  3. Ensure that the output shows true for RequireSymbols.

Backout Plan:

Using AWS Console:

  1. If the password policy change causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies.

  4. Deselect Require at least one symbol.

  5. Save the changes.

Using AWS CLI:

  1. To disable the requirement for symbols, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --password-policy "RequireSymbols=false,MinimumLength=8,RequireUppercase=true,RequireNumbers=true" --region <REGION>

  2. Verify the change by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_I

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.