Profile Applicability:

  • Level 1

Description:

Amazon Cognito is a service that provides authentication and user management for web and mobile applications. The password policy for Cognito User Pools defines the rules that passwords must adhere to in order to ensure secure user authentication. This SOP ensures that the password policy for Cognito User Pools requires a minimum password length of 14 characters or greater, which helps enforce stronger password practices and enhances security by making it harder for attackers to guess passwords through brute-force attacks.

Rationale:

  • Security: Requiring passwords to be at least 14 characters long makes it significantly more difficult for attackers to crack passwords via brute-force or dictionary attacks, enhancing the overall security of the system.

  • Compliance: Many compliance standards, including PCI-DSS and SOC 2, require strong password policies to protect sensitive data and authentication systems.

  • Best Practices: Enforcing a minimum password length of 14 characters is considered a security best practice for protecting user accounts from unauthorized access.

Impact:

Pros:

  • Stronger Passwords: A minimum length of 14 characters ensures that passwords are harder to guess or crack.

  • Enhanced Security: Reduces the likelihood of successful brute-force or dictionary-based attacks on user passwords.

  • Compliance: Meets the requirements of many security frameworks for strong password policies.

Cons:

  • User Inconvenience: Users may find it more challenging to remember longer passwords, potentially leading to frustration or password reuse.

  • Increased Complexity: Administrators need to ensure that users are aware of the new password requirements, which might require additional communication or training.

Default Value:

By default, Amazon Cognito does not enforce a minimum password length of 14 characters. The default minimum length is typically set to 8 characters, and it must be manually updated to meet security best practices.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Choose the User Pool you want to check.

  5. Under User Pool Settings, navigate to the Password Policy section.

  6. Check that the Minimum password length is set to 14 characters or more.

  7. If the minimum length is less than 14, proceed to modify the password policy as described in the Implementation Steps.

Using AWS CLI:

  1. To describe the Cognito User Pool and check the password policy, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  2. Review the output and verify that the MinimumLength is set to 14 or greater. If the result is lower, proceed with modifying the policy.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.

  3. Under the Password Policy section, ensure the Minimum password length is set to 14 characters or greater.

  4. If the Minimum password length is less than 14, increase it to 14 or greater.

  5. Save the changes to enforce the updated password policy.

Using AWS CLI:

  1. To update the password policy to require a minimum length of 14, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --policies '{"PasswordPolicy": {"MinimumLength": 14, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true}}'

  2. Verify the policy update by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  3. Ensure that the MinimumLength is set to 14.

Backout Plan:

Using AWS Console:

  1. If the password policy changes cause issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies and adjust the Minimum Length setting.

  4. Set the minimum length to a smaller value, if necessary, or remove the password policy change entirely.

  5. Save the changes.

Using AWS CLI:

  1. To change the minimum password length to a smaller value, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --password-policy "MinimumLength=<NEW_VALUE>,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true" --region <REGION>

  2. Verify that the change has been applied by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.