Profile Applicability:

  • Level 1

Description:

Amazon Cognito provides authentication services, and one of the security measures is the management of temporary passwords. When a user is created in Cognito User Pools, a temporary password is provided for the user to log in for the first time. It is crucial to ensure that temporary passwords have an expiration period of 7 days or less to prevent security risks, such as the use of expired or forgotten temporary passwords, which could allow unauthorized access.

Rationale:

  • Security: A short expiration period for temporary passwords ensures that they cannot be used indefinitely, reducing the risk of unauthorized access if a user forgets to update their temporary password.

  • Compliance: Enforcing a short password expiration policy helps meet the requirements of security standards (e.g., PCI-DSS, SOC 2) and ensures that passwords are managed securely.

  • Best Practices: Requiring a timely update of temporary passwords ensures better protection against potential security vulnerabilities associated with extended-use passwords.

Impact:

Pros:

  • Enhanced Security: Reduces the window of opportunity for malicious actors to use temporary passwords.

  • Meets Compliance Requirements: Short password expiration periods align with many compliance regulations for secure password management.

  • Better User Control: Forces users to reset their passwords quickly, maintaining control over their accounts.

Cons:

  • User Inconvenience: Users may experience inconvenience if they fail to reset their temporary password within the 7-day window.

  • Additional Setup: Requires manual configuration to set the expiration period for temporary passwords.

Default Value:

By default, Amazon Cognito User Pools do not set a specific expiration period for temporary passwords. The temporary password expiration must be configured manually.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Choose the User Pool you want to review.

  5. Under the User Pool Settings, navigate to Password Policy.

  6. Check if the Temporary password expiration period is set to 7 days or less.

    • If the expiration period is set to a value higher than 7 days, proceed with configuring it as outlined in the Implementation Steps.

Using AWS CLI:

  1. To describe the Cognito User Pool and check its temporary password expiration setting, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.TemporaryPasswordValidityDays'

  2. Review the output and ensure that the TemporaryPasswordValidityDays is set to 7 or less. If it is higher, proceed with updating the policy.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.

  3. Under the User Pool Settings, go to the Password Policy section.

  4. Set the Temporary password expiration period to 7 days or less.

  5. Save the changes to ensure the new expiration period is applied.

Using AWS CLI:

  1. To set the temporary password expiration period to 7 days, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --temporary-password-validity-days 7

  2. Verify the update by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.TemporaryPasswordValidityDays'

  3. Ensure that the TemporaryPasswordValidityDays is set to 7 or less.

Backout Plan:

Using AWS Console:

  1. If the expiration setting causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies and adjust the Temporary Password Expiration setting.

  4. Set the expiration to a longer period, if necessary, or disable the expiration feature entirely.

  5. Save the changes.

Using AWS CLI:

  1. To change the temporary password expiration setting to a longer period, use the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --temporary-password-validity-days <NEW_VALUE> --region <REGION>

  2. Verify that the change has been applied by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.