Security Hub controls for Amazon Cognito
These AWS Security Hub controls evaluate the Amazon Cognito service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication
Category: Protect > Secure access management
Severity: Medium
Resource type:
AWS::Cognito::UserPool
AWS Config rule: cognito-user-pool-advanced-security-enabled
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
|
|
The threat protection enforcement mode that the control checks for |
String |
|
|
This control checks whether an Amazon Cognito user pool has threat protection activated with the enforcement mode set to
full function. The control fails if the user pool has threat protection deactivated or if the enforcement mode isn't set to full
function. Unless you provide custom parameter values, Security Hub uses the default value of ENFORCED for enforcement mode
set to full function.
After you create a Cognito user pool, you can activate threat protection and customize the actions that are taken in response to different risks. Or, you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, threat protection publishes metrics to Amazon CloudWatch. You can see metrics after Cognito generates its first event.
Remediation
To activate threat protection for a Cognito user pool, see Advanced security with threat protection in the Amazon Cognito Developer Guide.
