Profile Applicability:

  • Level 1

Description:

Amazon Cognito provides authentication and user management for applications, and it allows you to define password policies to ensure the security of user accounts. This SOP ensures that the password policy for Cognito User Pools requires at least one uppercase letter in the password. Requiring uppercase letters in passwords improves password complexity and reduces the likelihood of successful brute-force or dictionary attacks.

Rationale:

  • Security: Requiring at least one uppercase letter in the password makes the password more complex, which helps protect user accounts from unauthorized access by making them harder to guess or crack.

  • Compliance: Many security standards and regulations, such as PCI-DSS and SOC 2, require enforcing strong password policies to protect user authentication data.

  • Best Practices: Enforcing complex passwords with mixed character types (uppercase, lowercase, numbers, symbols) is a recognized security best practice to mitigate risks associated with weak passwords.

Impact:

Pros:

  • Increased Password Strength: By requiring an uppercase letter, passwords become more complex and harder for attackers to guess or crack.

  • Improved Security: Protects against common attacks like brute-force or dictionary attacks by enforcing password complexity.

  • Compliance: Helps meet compliance standards that mandate strong password policies.

Cons:

  • User Inconvenience: Users may find it inconvenient to follow the new password requirement if they are used to simpler passwords, potentially leading to frustration.

  • Additional Configuration: Requires administrators to update the password policy and inform users of the change.

Default Value:

By default, Amazon Cognito does not require an uppercase letter in passwords. Password policy configuration must be updated to enforce this requirement.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Choose the User Pool you want to review.

  5. Under User Pool Settings, navigate to the Password Policy section.

  6. Ensure that the Requires Uppercase option is enabled. This setting forces the password to include at least one uppercase letter.

  7. If Requires Uppercase is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To describe the Cognito User Pool and check the password policy, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  2. Review the output to confirm that RequireUppercase is set to true. If the result is false, proceed with enabling it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon Cognito.

  2. In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.

  3. Under User Pool Settings, go to the Password Policy section.

  4. Enable the Requires Uppercase option to require at least one uppercase letter in the password.

  5. Save the changes to enforce the updated password policy.

Using AWS CLI:

  1. To update the password policy to require at least one uppercase letter, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --policies '{"PasswordPolicy": {"MinimumLength": 8, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true}}'

  2. Verify the policy update by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  3. Ensure that the RequireUppercase is set to true in the policy.

Backout Plan:

Using AWS Console:

  1. If the password policy changes cause issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies and disable Require at least one uppercase letter.

  4. Save the changes.

Using AWS CLI:

  1. To disable the requirement for at least one uppercase letter, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --password-policy "MinUppercase=0,MinimumLength=8,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true" --region <REGION>

  2. Verify the change has been applied by describing the User Pool:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.