Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Cognito

Cognito.3: Cognito password policy is too weak

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Cognito.3 check?

Cognito.3 reads a user pool's PasswordPolicy from DescribeUserPool and fails when the credential-strength settings fall below the recommended baseline — minimum length, required character classes, and (with Advanced Security enabled) password history. The Cognito defaults are weak: an 8-character minimum, no complexity, and history disabled.

Why does Cognito.3 matter?

Attackers replay breached-password corpora against any login endpoint they can find. An 8-character minimum with no history rule means a user who set Welcome2023! quietly rotates to Welcome2024! on every forced reset, and anyone who saw last year's breach guesses this year's password in three tries. Once they have a session, Cognito's downstream trust hands out STS credentials and identity tokens.

How do I fix Cognito.3?

  1. Raise MinimumLength and require uppercase, lowercase, numbers, and symbols on the pool's PasswordPolicy.
  2. Enable Advanced Security and set PasswordHistorySize to block password reuse.
  3. Communicate the change — the policy only applies to the next signup, ForgotPassword, or ChangePassword, not existing passwords.

Remediation script · bash

# Find active credentials idle past 45 days and disable them (review before deleting).
CUTOFF=$(date -u -d '45 days ago' +%Y-%m-%d)
aws iam generate-credential-report >/dev/null
aws iam get-credential-report --query Content --output text | base64 -d \
  | awk -F, -v c="$CUTOFF" 'NR>1 && $9=="true" && $11<c {print $1, $10}'
aws iam update-access-key --user-name old-contractor \
  --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive

# Apply the CIS-aligned IAM password policy in one idempotent call.
aws iam update-account-password-policy --minimum-password-length 14 \
  --require-uppercase-characters --require-lowercase-characters \
  --require-numbers --require-symbols --password-reuse-prevention 24

# A clear-text key in a build project is compromised: rotate and delete, never just relocate.
aws iam delete-access-key --user-name ci-deploy --access-key-id AKIAIOSFODNN7EXAMPLE

Full walkthrough (console steps, edge cases and verification) in the lesson Rotate and remove stale IAM credentials.

Is Cognito.3 a false positive?

Tightening the policy does not retroactively strengthen passwords already in the pool. Existing users keep their old password until their next change, so the risk persists until they rotate.

Full lesson Rotate and remove stale IAM credentials Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Cognito controls ↗ Check your own account for Cognito.3 →
Part of the learning path Lock down access

More Cognito controls

  • Cognito.1 Cognito threat protection is not enforced
  • Cognito.4 Cognito threat protection is not enforced
  • Cognito.5 Cognito users can sign in without MFA
  • Cognito.6 A Cognito user pool can be deleted by accident