Profile Applicability:

  • Level 1

Description:

Amazon Cognito is a fully managed service that provides authentication, authorization, and user management for web and mobile applications. To prevent accidental or unauthorized deletion of Cognito User Pools, it is essential to enable deletion protection. This feature ensures that the Cognito User Pool cannot be deleted unless the protection is explicitly disabled, providing a safeguard against accidental loss of user data and configurations.

Rationale:

  • Data Protection: Enabling deletion protection ensures that critical user pool configurations and sensitive user data are not lost due to accidental or malicious deletions.

  • Security: By preventing the deletion of Cognito User Pools, you reduce the risk of unauthorized users deleting authentication and user management resources.

  • Compliance: Many compliance frameworks require measures to protect critical data and configurations, including safeguards to prevent unintended data loss.

Impact:

Pros:

  • Accidental Deletion Prevention: Provides an additional layer of protection to prevent the accidental deletion of Cognito User Pools, which may contain valuable user data.

  • Improved Data Integrity: Ensures that configurations and stored user data are protected against unintentional modifications or deletion.

  • Increased Security: Helps mitigate the risks of malicious or unauthorized access leading to the loss of user authentication data.

Cons:

  • Configuration Overhead: Requires manual configuration or updates to Cognito User Pools to enable deletion protection.

  • Increased Management Complexity: If deletion protection is enabled, it requires an extra step to disable it before making any changes to the Cognito User Pool, which may add complexity to administrative workflows.

Default Value:

By default, Cognito User Pools do not have deletion protection enabled, meaning they can be deleted without any additional safeguards.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:UpdateUserPool

    • cognito-idp:DescribeUserPool

  • AWS CLI installed and configured.

  • Ensure that Cognito User Pools are set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select User Pools.

  4. Choose the User Pool you want to check.

  5. Under the General Settings, check if Deletion protection is enabled:

    • If Deletion protection is enabled, it will be listed under the User Pool details.

    • If Deletion protection is not enabled, proceed with the steps below to enable it.

Using AWS CLI:

  1. To describe the Cognito User Pool and check if deletion protection is enabled, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.PoolDeletionProtection'

  2. If the result is false, it indicates that deletion protection is not enabled, and you will need to enable it.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select User Pools and choose the User Pool you want to protect.

  3. Under the General Settings, look for the Deletion Protection option.

  4. Enable Deletion Protection by checking the corresponding box or enabling the setting.

  5. Save the changes to ensure deletion protection is activated for the selected Cognito User Pool.

Using AWS CLI:

  1. To enable deletion protection for the Cognito User Pool, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --pool-deletion-protection

  2. Verify that deletion protection has been successfully enabled:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.PoolDeletionProtection'

Backout Plan:

Using AWS Console:

  1. If enabling deletion protection causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under General Settings, go to Pool details.

  4. Uncheck the Enable deletion protection checkbox to disable the protection.

  5. Save the changes.

Using AWS CLI:

  1. To disable deletion protection, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --deletion-protection false --region <REGION>

  2. Verify that deletion protection has been disabled by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.