Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Cognito

Cognito.6: A Cognito user pool can be deleted by accident

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Cognito.6 check?

Cognito.6 checks the DeletionProtection attribute on a user pool and fails when it is INACTIVE. With it ACTIVE, the delete-user-pool API is rejected until someone first calls update-user-pool to set it back to INACTIVE.

Why does Cognito.6 matter?

A user pool can be deleted in a single API call, and there is no soft-delete, recycle bin, or recovery path. The operation completes in seconds and takes every user record, password hash, MFA enrolment, group, app client, and identity-provider link with it. Every active session token becomes worthless and every logged-in customer is logged out mid-session. AWS Support cannot restore it — the only option is to rebuild and force a re-registration.

How do I fix Cognito.6?

  1. Set DeletionProtection to ACTIVE on every customer-facing user pool.
  2. Require the deliberate two-step (update to INACTIVE, then delete) for any genuine teardown.
  3. Pin the setting in IaC so stack re-applies do not silently turn it off.

Remediation script · bash

# Enable deletion protection on every unprotected standalone RDS instance in a region.
for id in $(aws rds describe-db-instances \
  --query 'DBInstances[?DeletionProtection==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --deletion-protection --apply-immediately
  echo "Protected RDS instance: $id"
done

# Termination-protect every production-tagged CloudFormation stack (eyeball the list first).
aws cloudformation describe-stacks \
  --query "Stacks[?Tags[?Key=='Environment' && Value=='production']].StackName" \
  --output text | tr '\t' '\n' | while read -r stack; do
  aws cloudformation update-termination-protection \
    --stack-name "$stack" --enable-termination-protection
  echo "Protected stack: $stack"
done

# Deletion-protect a production load balancer.
aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$LB_ARN" \
  --attributes Key=deletion_protection.enabled,Value=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable deletion and termination protection.

Full lesson Enable deletion and termination protection Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Cognito controls ↗ Check your own account for Cognito.6 →
Part of the learning path Lock down access

More Cognito controls

  • Cognito.1 Cognito threat protection is not enforced
  • Cognito.3 Cognito password policy is too weak
  • Cognito.4 Cognito threat protection is not enforced
  • Cognito.5 Cognito users can sign in without MFA