Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Cognito

Cognito.4: Cognito threat protection is not enforced

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Cognito.4 check?

Cognito.4 checks that threat protection is activated for custom authentication — the Lambda-trigger flows used for passwordless or magic-link sign-in. It fails unless enforcement is ENFORCED; AUDIT mode, which only logs the risk score, does not pass.

Why does Cognito.4 matter?

Custom auth flows are an attractive target precisely because they sidestep the password and lean on Lambda triggers. Without enforced threat protection, those flows get no risk scoring — a credential-stuffing or account-takeover attempt through the custom path is treated exactly like a legitimate user. Cognito.4 is the custom-auth sibling of Cognito.3, and both need ENFORCED so the whole pool is covered.

How do I fix Cognito.4?

  1. Enable threat protection and set the custom authentication flow to ENFORCED.
  2. Define per-risk-level actions (challenge on MEDIUM, block on HIGH) for the custom flow.
  3. Verify both standard (Cognito.3) and custom flows are ENFORCED — covering one leaves the other open.

Remediation script · bash

# Step 1: flip the pool into ENFORCED.
aws cognito-idp update-user-pool \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --user-pool-add-ons AdvancedSecurityMode=ENFORCED

# Step 2: wire the standard-auth risk configuration.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --compromised-credentials-risk-configuration \
      EventFilter=SIGN_IN,PASSWORD_CHANGE,SIGN_UP,Actions={EventAction=BLOCK} \
  --account-takeover-risk-configuration \
      Actions='{LowAction={EventAction=NO_ACTION,Notify=true},MediumAction={EventAction=MFA_IF_CONFIGURED,Notify=true},HighAction={EventAction=BLOCK,Notify=true}}'

# Step 3: same call scoped to a CUSTOM_AUTH client closes Cognito.4.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --client-id 7abcd1234efgh5678ijklmnop \
  --account-takeover-risk-configuration \
      Actions='{HighAction={EventAction=BLOCK,Notify=true}}'

Full walkthrough (console steps, edge cases and verification) in the lesson Enable Cognito threat protection.

Is Cognito.4 a false positive?

Enforcing threat protection on standard auth does not cover custom auth. The two are separate controls precisely because the Lambda-trigger flows are configured independently.

Full lesson Enable Cognito threat protection Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Cognito controls ↗ Check your own account for Cognito.4 →
Part of the learning path Lock down access

More Cognito controls

  • Cognito.1 Cognito threat protection is not enforced
  • Cognito.3 Cognito password policy is too weak
  • Cognito.5 Cognito users can sign in without MFA
  • Cognito.6 A Cognito user pool can be deleted by accident