Profile Applicability:

  • Level 1

Description:

Amazon Cognito is a fully managed service for authentication, authorization, and user management. It provides a customizable password policy for Cognito User Pools to enforce secure user password creation. This SOP ensures that the password policy for the Cognito User Pool requires users to include at least one numeric character, which helps strengthen password complexity and improve the overall security of user accounts.

Rationale:

  • Security: Requiring at least one numeric character in passwords adds complexity, making them harder to guess or crack. This improves security by reducing the likelihood of successful brute-force or dictionary attacks.

  • Compliance: Many security standards and regulations (e.g., PCI-DSS, SOC 2, HIPAA) require enforcing strong password policies, including numeric characters, to ensure data protection.

  • Best Practices: Enforcing complex passwords, including numbers, is a security best practice to mitigate risks associated with weak passwords.

Impact:

Pros:

  • Increased Password Strength: Passwords are more secure with the requirement of a numeric character, making them more resistant to common attacks.

  • Compliance: Helps meet password complexity requirements for security standards and industry best practices.

  • Better Control: Helps enforce a consistent password policy for all users in the Cognito User Pool.

Cons:

  • User Inconvenience: Some users may find it inconvenient to follow additional password requirements, especially if they are used to simpler password patterns.

  • Training: Users may need to be informed about the new password policy to avoid confusion when they attempt to set or reset passwords.

Default Value:

By default, Cognito User Pools may not have specific requirements like the inclusion of a numeric character. The password policy must be manually configured.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Choose the User Pool you want to review and select the "Policies" tab.

  5. Under Password Policy, check that the "Requires a number" option is enabled. If it is not enabled, proceed with enabling it as detailed in the implementation steps below.

Using AWS CLI:

  1. To describe the Cognito User Pool and check its password policy, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  2. Review the output to confirm that RequiresNumbers is set to true. If the result is false, proceed to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito.

  3. In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.

  4. Go to the "Policies" tab.

  5. Under Password Policy, enable "Requires a number" by checking the box next to this option.

  6. Save changes to enforce the updated password policy.

Using AWS CLI:

  1. To enable requiring a number in the password policy for the Cognito User Pool, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --policies '{"PasswordPolicy": {"MinimumLength": 8, "RequireUppercase": true, "RequireLowercase": true, "RequireNumbers": true, "RequireSymbols": true}}'

  2. Verify the policy update by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.Policies.PasswordPolicy'

  3. Ensure that the "RequireNumbers": true configuration is present.

Backout Plan:

Using AWS Console:

  1. If the password policy changes cause issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Policies and disable Require at least one number in the Password Policy section.

  4. Save the changes.

Using AWS CLI:

  1. To disable the requirement for at least one number in the password, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --password-policy "MinNumbers=0,MinimumLength=8,RequireUppercase=true,RequireLowercase=true,RequireSymbols=true" --region <REGION>

  2. Verify the changes by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.