Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Cognito

Cognito.1: Cognito threat protection is not enforced

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Cognito.1 check?

Cognito.1 checks that a user pool has threat protection (formerly Advanced Security) activated for the standard authentication flows — USER_SRP_AUTH and USER_PASSWORD_AUTH. It fails unless enforcement is set to ENFORCED; AUDIT mode logs risk but takes no action, which does not pass.

Why does Cognito.1 matter?

Without threat protection, every sign-in is treated the same — a legitimate user on their usual device gets the same trust as a credential-stuffing bot replaying a leaked password from a foreign proxy. Cognito has no signal to challenge or block the second case, so it doesn't. Once an account is taken over the attacker can change the email, rotate MFA, and pivot to flows the user can reach.

How do I fix Cognito.1?

  1. Enable threat protection on the user pool and set the standard auth flows to ENFORCED.
  2. Configure the action per risk level — typically MFA challenge on MEDIUM, block on HIGH.
  3. Confirm compromised-credential and account-takeover detection are both active, then watch the findings.

Remediation script · bash

# Step 1: flip the pool into ENFORCED.
aws cognito-idp update-user-pool \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --user-pool-add-ons AdvancedSecurityMode=ENFORCED

# Step 2: wire the standard-auth risk configuration.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --compromised-credentials-risk-configuration \
      EventFilter=SIGN_IN,PASSWORD_CHANGE,SIGN_UP,Actions={EventAction=BLOCK} \
  --account-takeover-risk-configuration \
      Actions='{LowAction={EventAction=NO_ACTION,Notify=true},MediumAction={EventAction=MFA_IF_CONFIGURED,Notify=true},HighAction={EventAction=BLOCK,Notify=true}}'

# Step 3: same call scoped to a CUSTOM_AUTH client closes Cognito.4.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --client-id 7abcd1234efgh5678ijklmnop \
  --account-takeover-risk-configuration \
      Actions='{HighAction={EventAction=BLOCK,Notify=true}}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enable Cognito threat protection.

Is Cognito.1 a false positive?

AUDIT mode looks like protection on the dashboard but only logs risk scores; the control requires ENFORCED before Cognito will actually challenge or block risky sign-ins.

Full lesson Enable Cognito threat protection Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Cognito controls ↗ Check your own account for Cognito.1 →
Part of the learning path Lock down access

More Cognito controls

  • Cognito.3 Cognito password policy is too weak
  • Cognito.4 Cognito threat protection is not enforced
  • Cognito.5 Cognito users can sign in without MFA
  • Cognito.6 A Cognito user pool can be deleted by accident