Profile Applicability:

  • Level 1

Description:

Amazon Cognito is a service that provides authentication and user management for applications. Self-registration allows users to sign up for accounts directly without admin intervention. While convenient, self-registration can pose security risks by allowing unauthorized users to create accounts. This SOP ensures that self-registration is disabled in Cognito User Pools, so only authorized users (via admin invitation or other mechanisms) can be added.

Rationale:

  • Security: Disabling self-registration helps prevent unauthorized users from creating accounts, which could be exploited for malicious purposes.

  • Access Control: By restricting account creation to admin-controlled processes (e.g., invite-only), you can better control the access granted to users.

  • Compliance: Many compliance frameworks (e.g., SOC 2, HIPAA) require robust access control mechanisms, including ensuring only authorized individuals can register for services.

  • User Management: Helps streamline user management by ensuring that only trusted users are able to sign up.

Impact:

Pros:

  • Increased Security: Prevents the risk of unauthorized user registrations.

  • Controlled Access: Limits user pool registrations to only those with explicit authorization.

  • Compliance: Helps meet compliance requirements for secure user authentication and authorization.

Cons:

  • Reduced User Convenience: Users will no longer be able to sign up on their own; they must be added by an administrator or through another controlled process.

  • Additional Configuration: Requires the setup of alternate user registration methods (e.g., admin invitations or external identity providers).

Default Value:

By default, self-registration is enabled in Amazon Cognito User Pools. This means users can sign up freely using the Cognito User Pool sign-up API or hosted UI.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

    • cognito-idp:AdminCreateUser

  • AWS CLI installed and configured.

  • Amazon Cognito User Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Select the User Pool you want to configure.

  5. Under User Pool Settings, navigate to the Sign-up section.

    • Ensure that self-registration (i.e., user sign-up via the hosted UI or the API) is disabled.

    • The Self-Registration option should be turned off, and you should ensure that the Allow admin-created users setting is enabled to allow user management through admins only.

Using AWS CLI:

  1. To describe the Cognito User Pool and check if self-registration is enabled, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AutoVerifiedAttributes'

  2. If self-registration is enabled, proceed with disabling it:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --auto-verified-attributes []

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select User Pools and choose the User Pool you want to modify.

  3. Under the Sign-up section, ensure self-registration is disabled. This can be achieved by:

    • Disabling allowing users to sign up via the hosted UI or API.

    • Ensuring only admins can create users manually or via external identity providers.

  4. Save changes to the User Pool settings.

Using AWS CLI:

  1. To disable self-registration, run the following command to update the Cognito User Pool:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --auto-verified-attributes []

  2. Verify that self-registration is disabled by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.AutoVerifiedAttributes'

Backout Plan:

Using AWS Console:

  1. If disabling self-registration causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Attributes.

  4. Check the box for Allow users to sign themselves up to re-enable self-registration.

  5. Save the changes.

Using AWS CLI:

  1. To re-enable self-registration, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --auto-verified-attributes Email --region <REGION>

  2. Verify that self-registration is re-enabled by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.