Compliance

Enable Cognito threat protection

Security Hub Cognito.X — threat protection (formerly Advanced Security) blocks compromised credentials, anomalous logins, and bot attacks. Set enforcement to full.

11 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: Cognito.1 Cognito.4

Cognito threat protection: the basics

What threat protection actually does to a user pool

Amazon Cognito user pools are how millions of apps authenticate end users — sign-up, sign-in, password reset, MFA. Threat protection (renamed from "Advanced Security" in late 2024) is the security layer Cognito layers on top of the raw auth flow. It scores every authentication attempt for risk and can challenge or block the ones that look wrong, without requiring a single line of application code.

Three things get scored on every sign-in: whether the password appears in a globally-maintained breach corpus (compromised credentials), whether the device/IP/geo/velocity looks anomalous for that user (account takeover), and whether the request looks like an automated scraper or credential-stuffing bot. Each attempt comes out with a LOW / MEDIUM / HIGH risk label, and you decide what happens at each level — no action, an MFA challenge, or an outright block.

Security Hub flags two related findings: Cognito.3 ("User pools should have threat protection activated") and Cognito.4 ("Threat protection should be activated for custom authentication"). The standard control covers USER_SRP_AUTH and USER_PASSWORD_AUTH; the custom-auth control covers Lambda-trigger flows like passwordless or magic-link sign-in. Both have to be set to ENFORCED — AUDIT mode logs the risk but doesn't act on it, which fails the control.

In this lesson you'll learn what threat protection scores, the three enforcement modes, how to wire risk levels to actions, and the difference between standard and custom-auth coverage. You'll see real CLI to inspect a pool's current configuration and the exact set-risk-configuration call to enable full enforcement with sensible defaults.

Fun fact

Credential stuffing is the #1 attack vector

Verizon's 2024 Data Breach Investigations Report attributes roughly 24% of all confirmed breaches to credential stuffing and brute-force — attackers replaying leaked username/password pairs from other sites against your login endpoint. Cognito's compromised-credentials check compares each sign-in against a corpus of billions of leaked pairs and blocks the match before the password is even validated. Turning it on takes one API call; not turning it on is roughly the security equivalent of leaving the login form unrate-limited.

Enabling threat protection in action

Priya is the platform lead at a healthtech SaaS. Security Hub fires Cognito.3 against their production user pool us-east-1_aB3cD4eF5 — threat protection is OFF. Two weeks earlier the pool saw a 40× spike in failed logins from a single ASN; the SOC suspected credential stuffing but had no per-attempt risk signal to confirm.

She doesn't flip everything to ENFORCED blind — she wants to see what's currently configured and what the risk distribution looks like first. AUDIT mode is a useful stepping stone: it logs risk decisions to CloudWatch without blocking real users, so you can tune the action map before turning enforcement on.

She starts by describing the pool to see the current security mode.

First, check the pool's current threat-protection state. The relevant field is UserPoolAddOns.AdvancedSecurityMode.

$ aws cognito-idp describe-user-pool --user-pool-id us-east-1_aB3cD4eF5 --query 'UserPool.{Name:Name,Mode:UserPoolAddOns.AdvancedSecurityMode,MFA:MfaConfiguration}'

{

"Name": "prod-customers",

"Mode": "OFF",

"MFA": "OPTIONAL"

}

# AdvancedSecurityMode OFF — no risk scoring, no compromised-credential check.

Current state of the flagged pool. Threat protection is dark.

Enable threat protection in ENFORCED mode and wire the risk-action map. HIGH blocks, MEDIUM challenges with MFA, LOW logs only. Compromised credentials always block.

$ aws cognito-idp set-risk-configuration --user-pool-id us-east-1_aB3cD4eF5 --compromised-credentials-risk-configuration EventFilter=SIGN_IN,PASSWORD_CHANGE,SIGN_UP,Actions={EventAction=BLOCK} --account-takeover-risk-configuration Actions='{LowAction={EventAction=NO_ACTION,Notify=true},MediumAction={EventAction=MFA_IF_CONFIGURED,Notify=true},HighAction={EventAction=BLOCK,Notify=true}}'

{

"RiskConfiguration": {

"UserPoolId": "us-east-1_aB3cD4eF5",

"CompromisedCredentialsRiskConfiguration": {

"EventFilter": ["SIGN_IN", "PASSWORD_CHANGE", "SIGN_UP"],

"Actions": { "EventAction": "BLOCK" }

"AccountTakeoverRiskConfiguration": {

"Actions": {

"LowAction": { "Notify": true, "EventAction": "NO_ACTION" },

"MediumAction": { "Notify": true, "EventAction": "MFA_IF_CONFIGURED" },

"HighAction": { "Notify": true, "EventAction": "BLOCK" }

Risk configuration applied. Compromised passwords blocked outright; ATO scored and acted on per risk level.

Threat protection under the hooddeep dive

Threat protection runs as an inline interceptor in the Cognito auth flow. When a sign-in lands, Cognito computes a fingerprint from device characteristics, source IP, AS number, geo-location, time-of-day relative to the user's historical pattern, and velocity (how fast the user moves between locations or devices). That fingerprint is scored against the user's behavioural baseline and against global indicators of compromise, and the result is a risk band — LOW, MEDIUM, or HIGH.

The compromised-credentials check is a separate pipeline. Cognito maintains an indexed corpus of credentials leaked across known public dumps; on every SIGN_IN, PASSWORD_CHANGE, or SIGN_UP it hashes the submitted password client-side-style and looks it up. A match means "this exact username+password pair is already in the wild" — the safe action is always BLOCK because letting it through is opting in to credential stuffing.

Modes form a ladder: OFF (no scoring, no logs, no cost), AUDIT (full scoring, CloudWatch events, no enforcement — useful for tuning), and ENFORCED (full scoring and the configured EventAction per risk level — what Cognito.3 requires). Custom-auth flows (CUSTOM_AUTH challenges driven by Lambda triggers) have their own configuration block because the auth pipeline is different — that's why Cognito.4 exists as a separate control.

# Inspect both standard and custom-auth risk configs in one call.
aws cognito-idp describe-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --query 'RiskConfiguration.{Std:AccountTakeoverRiskConfiguration.Actions,Compromised:CompromisedCredentialsRiskConfiguration.Actions}'

What is the impact of leaving threat protection off?

The direct impact is unscored auth. Without threat protection, every sign-in attempt is treated the same — a legitimate user logging in from their usual device gets the same trust as a credential-stuffing bot replaying a leaked password from a residential proxy in another country. Cognito has no signal to block the second case, so it doesn't.

The second-order impact is breach blast radius. Once an attacker takes over a user's account they can change the email, rotate MFA, exfiltrate data, and pivot to internal flows the user has access to. The cost of one successful account takeover at a SaaS company is typically measured in tens of thousands of dollars in incident response, customer communication, and credential rotation — multiples of the per-MAU threat-protection charge across an entire pool.

Regulatory consequences compound the picture. SOC 2, ISO 27001, HIPAA, and GDPR all expect risk-based authentication controls. A Security Hub Cognito.3 finding sitting open in your audit trail is documented evidence that you knew the control existed and chose not to enable it — which materially affects how an auditor treats the rest of your identity stack.

The cost side is straightforward: threat protection bills per monthly active user (MAU) above the free tier, typically a small fraction of a cent per MAU. For most pools the bill is a rounding error compared to the engineering hours one account-takeover incident consumes. The math almost never says "leave it off".

How do you enable threat protection safely?

Turning threat protection on is a four-step loop. Skipping any step gets you either a flood of false-positive blocks or a configuration that passes the Security Hub check but does nothing useful.

1. Inventory the pool's current state and auth flows

Use describe-user-pool to read AdvancedSecurityMode and MfaConfiguration, and list-user-pool-clients to see which clients use USER_SRP_AUTH, USER_PASSWORD_AUTH, or CUSTOM_AUTH. The custom-auth flows need their own configuration block — Cognito.4 will keep failing if you only set the standard one.

2. Start in AUDIT mode and tune the action map

Set the pool to AUDIT for a week and watch the CloudWatch events. You'll see the real risk distribution for your user base — what fraction of sign-ins score MEDIUM, where geo-anomaly false positives are coming from (travelling employees, mobile carriers that NAT through unexpected regions). Tune the per-risk action map before flipping to ENFORCED.

3. Flip to ENFORCED with compromised-credentials always BLOCK

Use set-risk-configuration with AccountTakeoverRiskConfiguration set to your tuned map (typical: LOW=NO_ACTION+notify, MEDIUM=MFA_IF_CONFIGURED, HIGH=BLOCK) and CompromisedCredentialsRiskConfiguration set to BLOCK across SIGN_IN, PASSWORD_CHANGE, and SIGN_UP. Set the pool's UserPoolAddOns.AdvancedSecurityMode to ENFORCED. Then repeat for the custom-auth configuration if any client uses CUSTOM_AUTH.

4. Pair with MFA-required and WebAuthn for phishing-resistance

Threat protection challenges with MFA on medium-risk sign-ins, which only helps if MFA is actually enrolled. Move MfaConfiguration to ON (required) for high-value pools and enable WebAuthn so the second factor is phishing-resistant. Re-evaluate the risk distribution quarterly — attacker behaviour drifts, and so does your user base.

# Step 1: flip the pool into ENFORCED.
aws cognito-idp update-user-pool \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --user-pool-add-ons AdvancedSecurityMode=ENFORCED

# Step 2: wire the standard-auth risk configuration.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --compromised-credentials-risk-configuration \
      EventFilter=SIGN_IN,PASSWORD_CHANGE,SIGN_UP,Actions={EventAction=BLOCK} \
  --account-takeover-risk-configuration \
      Actions='{LowAction={EventAction=NO_ACTION,Notify=true},MediumAction={EventAction=MFA_IF_CONFIGURED,Notify=true},HighAction={EventAction=BLOCK,Notify=true}}'

# Step 3: same call scoped to a CUSTOM_AUTH client closes Cognito.4.
aws cognito-idp set-risk-configuration \
  --user-pool-id us-east-1_aB3cD4eF5 \
  --client-id 7abcd1234efgh5678ijklmnop \
  --account-takeover-risk-configuration \
      Actions='{HighAction={EventAction=BLOCK,Notify=true}}'

Quick quiz

Question 1 of 5

Security Hub fires Cognito.3 against your production user pool with AdvancedSecurityMode set to AUDIT. What's the right next move?

Keep learning

Dig deeper into Cognito threat protection and the broader identity-hardening picture.

You've completed Enable Cognito threat protection. You can now read a user pool's current security mode, run AUDIT-then-tune-then-ENFORCED, configure compromised-credentials and account-takeover actions per risk level, and cover both standard and custom-auth flows. The next time Security Hub fires Cognito.3 or Cognito.4, you'll have a four-step loop ready to run.

Back to the library

Cognito threat protection: what it costs and what it buys

A per-user-per-month charge that blocks account takeover before it becomes an incident

Amazon Cognito is the authentication layer in front of your customer-facing applications — sign-in, sign-up, password reset. Threat protection is an add-on tier that scores every login attempt for risk and blocks or challenges the suspicious ones automatically. Security Hub flags user pools running without it as Cognito.3 (and Cognito.4 for custom login flows) at Medium severity.

The billing model is simple: threat protection charges a small fee per monthly active user (MAU) above the free tier — typically a fraction of a cent per user per month. For most commercial applications the annual cost is a rounding error on the cloud bill. The relevant comparison is not "does this add to spend?" but "how does this spend compare to the cost of one account-takeover incident?" A single credential-stuffing breach typically drives tens of thousands of dollars in incident response, customer notification, and credential rotation — multiples of the annual threat-protection bill for an entire pool.

Security Hub flags two modes: AUDIT (logs risk signals but takes no action — fails the control) and ENFORCED (acts on risk — passes the control). The finance-relevant framing is that AUDIT is a free observation period, not a remediation. The decision to move to ENFORCED is almost always economically obvious once the cost-per-MAU is modelled against the breach cost it prevents. The rare exception is a pool serving only internal or disposable users where account takeover carries near-zero business impact — those justify a documented exception, not a blanket opt-out.

This lesson is for the finance partner reviewing a Cognito.3 or Cognito.4 finding on the security dashboard. It explains the per-MAU cost model, why the remediation is almost always economically straightforward, the distinction between AUDIT mode (which fails the control and costs nothing) and ENFORCED mode (which passes it and costs a small per-user fee), and how to frame an intentional exception for low-impact pools. No commands required — the goal is to leave you able to price the decision and defend either outcome.

Fun fact

Credential stuffing is the #1 attack vector

How a finance partner frames the Cognito threat-protection decision

Jordan is the FinOps lead assigned to the security-and-cost review. The monthly dashboard shows three Cognito.3 findings — three user pools with threat protection either off or stuck on AUDIT. Before asking the team to fix everything, Jordan pulls the MAU count for each pool: one is the production customer-facing pool with 180,000 MAU, one is a partner portal with 4,000 MAU, and one is a dev/staging pool with a few hundred test accounts.

Jordan models the per-pool cost in five minutes: at the standard per-MAU rate, enabling ENFORCED on the production pool adds roughly $450/month; the partner portal adds about $10/month. The dev pool would add less than $2/month. Against that, Jordan pulls the incident-response estimate from the last breach postmortem in the company's risk register — the estimate for a credential-stuffing incident on the production pool is $85,000 minimum, not counting regulatory exposure under their HIPAA BAA.

The recommendation for the finance pack is straightforward: approve ENFORCED on all three, total incremental cost under $470/month, with the production pool carrying essentially all of it. The alternative — a documented exception for the dev pool — is also defensible, since a test-account takeover has near-zero business impact. Jordan records both paths as options and notes that any exception needs a written justification attached to the Security Hub suppression, so it's auditable.

What the risk register should say about an unprotected Cognito pool

The financial exposure from leaving threat protection off has two components: the direct incident cost and the regulatory tail. The direct cost of a successful credential-stuffing campaign on a production customer pool typically runs to tens of thousands of dollars in security-team hours, customer notification, credential rotation, and reputational damage — and that's before any contractual SLA penalties or customer churn. The regulatory tail is harder to bound: under SOC 2, HIPAA, or GDPR, a documented Security Hub finding left open at audit is evidence that you knew the control existed and chose not to enable it. Auditors treat that differently from a control you hadn't implemented yet.

The cost to close this finding is almost always small enough to make the risk register math one-sided. At standard Cognito pricing, enabling threat protection on a 100,000-MAU pool costs roughly $250/month — less than the burdened cost of a single engineer-hour of incident response. Framing it that way in the risk register converts the finding from a "security team issue" to a line item with a clear expected value: the annual premium versus the probability-weighted cost of one breach.

The one scenario where the math looks different is a pool serving only internal, low-privilege users or disposable test accounts. There the account-takeover blast radius is small, and a documented exception is a defensible decision. But that exception should be explicit — a recorded, reviewed justification attached to the Security Hub suppression — not an omission. Finance's role is to ensure every open Cognito.3 finding is either remediated or has a cost-and-risk justification on the record.

What finance can actually do about Cognito.3 and Cognito.4

Finance can't run set-risk-configuration, but it owns the cost-versus-risk framing that gets the decision made at the right speed and with the right documentation. Four levers.

1. Model the per-pool cost before the review

Pull MAU counts for each flagged pool and multiply by the per-MAU threat-protection rate. The number is almost always small — under $500/month for most pools. Presenting it as a concrete line item rather than an abstract "cloud security cost" removes the main hesitation from the engineering conversation and gets approval faster.

2. Compare the premium to the incident cost, not to zero

The right benchmark for the threat-protection charge is the expected cost of one successful credential-stuffing incident on that pool — incident response, customer notification, regulatory exposure. For a customer-facing pool that number is typically 50–200x the annual threat-protection premium. That framing makes the spend easy to approve and easy to defend at audit.

3. Require a documented justification for any exception

Any pool left at OFF or AUDIT after review should have a written cost-and-risk justification attached to the Security Hub suppression. A dev pool with disposable test accounts and zero PII is a defensible exception; a customer-facing pool without one is not. Finance's role is to ensure exceptions are explicit decisions, not silent omissions.

4. Track the finding count and per-MAU cost on the security-and-cost review

Put the count of Cognito.3/Cognito.4 open findings — segmented by customer-facing versus internal — on the monthly dashboard alongside the monthly threat-protection spend for the pools already in ENFORCED mode. That pairing shows both the exposure being carried and the cost of closing it, which is the number leadership needs to allocate remediation effort appropriately.

Quick quiz

Question 1 of 5

A security scan flags three Cognito.3 findings: a production customer pool with 150,000 MAU, a partner portal with 5,000 MAU, and a dev pool with 200 test accounts. Threat protection is OFF on all three. As the finance partner, what's the right recommendation?

Keep learning

Dig deeper into Cognito threat protection and the broader identity-hardening picture.

You've finished the finance partner's view of Cognito threat protection. You know the per-MAU cost model, why the incident-cost comparison almost always makes ENFORCED the obvious choice for customer-facing pools, how to frame a defensible exception for low-impact pools, and the four levers — cost modelling, incident-cost framing, documented exceptions, and dashboard tracking — that keep both the security posture and the spend decisions visible. Next time Cognito.3 shows up, you'll have a sharper answer than 'can we defer this?'

Back to the library

Cognito threat protection: the headline

Whether your customer login is defended against credential stuffing, or wide open to it

Every application that lets customers log in has a login endpoint, and every login endpoint is attacked. Credential stuffing — automated bots replaying leaked username/password pairs from other breaches — is one of the most common paths to account takeover. Cognito threat protection scores each login attempt and blocks the ones that look like an attack, without any code change in the application. Security Hub flags this as missing at Medium severity.

The executive question is simple: are the customer-facing authentication pools running with this control enabled, and is it set to ENFORCED rather than just AUDIT? AUDIT means you're watching attacks succeed without stopping them. The cost of enforcement is small — a fraction of a cent per active user per month. The cost of one successful account-takeover incident — response, notification, regulatory scrutiny — is almost always orders of magnitude larger. This is a control where 'not enabled by policy' is the only defensible answer; 'not enabled by oversight' is not.

A short read for the executive who wants to know whether this finding is a real risk or a paperwork issue. You'll learn what credential stuffing is, why threat protection stops it, and why AUDIT mode doesn't count as protection. The key takeaway is one question to ask: are all customer-facing authentication pools running in ENFORCED mode, and is every exception a documented, deliberate choice? No implementation detail.

Fun fact

Credential stuffing is the #1 attack vector

What good looks like for Cognito threat protection at the leadership level

At a mid-size SaaS company the CISO, Amara, used to answer "are we protected against credential stuffing?" with "Cognito handles authentication." After a Security Hub rollout surfaced three Cognito.3 findings, the honest answer became clearer: Cognito handles authentication, but the threat-scoring layer was off on two of the three pools, including the production customer pool.

Amara didn't need to understand the set-risk-configuration API call. She needed one thing: a commitment from engineering that all customer-facing pools would run in ENFORCED mode within two weeks, with a brief memo explaining why any pool left below that threshold was a deliberate, low-risk exception. The cost was negligible. The audit trail — showing that the finding was found, understood, and acted on — was the thing that mattered when the compliance team ran their next review.

That's the right frame for this control. It's not a complex technical decision; it's a governance check. Is the authentication layer in front of customers protected by policy, not by chance? A fast yes with documented exceptions is the healthy answer.

Why this finding is on the executive dashboard at all

This control shows up at the leadership level because the impact of getting it wrong is customer-facing and externally visible. Credential stuffing attacks don't stay inside your perimeter — they result in customer accounts being accessed, data being exfiltrated, and customers finding out their account was compromised. That's a trust and reputation event, not just an IT ticket. Security Hub flags this at Medium severity precisely because the probability of attack is high (it is the leading attack vector on login endpoints) and the cost of a miss is large.

The cost of enabling the control is small enough that it almost never warrants a deliberate opt-out decision for customer-facing pools. The leadership question is not whether to enable it but whether it is enabled everywhere it should be and whether every gap is a documented choice rather than an oversight. A clean answer to 'are all customer login pools running with threat protection enforced?' is a one-minute confidence signal at the board level. An unclear answer is a risk that needs to be on the agenda.

The leadership move on Cognito threat protection

This is a governance decision, not a technical one. The executive handle is to set a default policy and require that every pool's posture is a deliberate choice on the record.

1. Set the default: customer-facing pools run in ENFORCED mode

Make it policy that any Cognito user pool serving external or paying customers must have threat protection set to ENFORCED. That ends the per-pool debate and means the finding can only remain open if there is a documented, reviewed exception — not because no one got to it.

2. Accept AUDIT as a temporary tuning step, not a resting state

Engineering may need a week in AUDIT mode to tune the risk-action map before going ENFORCED. That's a valid operational reason to delay enforcement briefly. It is not a valid long-term state. Ask for a committed date to reach ENFORCED and track it.

3. Ask one question at the leadership review

"Are all customer-facing authentication pools in ENFORCED mode, with every exception documented and approved?" A consistent yes means the identity layer is governed by policy. It needs no technical depth and takes less than a minute to answer — that's the right level of leadership engagement for this control.

Quick quiz

Question 1 of 5

Your CISO reports that all customer-facing Cognito pools are now in ENFORCED mode, and the two dev/test pools are at OFF with documented justifications attached to the Security Hub suppressions. What's the right read?

Keep learning

Dig deeper into Cognito threat protection and the broader identity-hardening picture.

That's the lesson. Two takeaways: a Cognito pool running at OFF or AUDIT means credential-stuffing attacks are scoring uncontested against your customer logins, and the cost of enforcement is almost never the reason to leave it that way. The leadership question is whether every customer-facing pool is in ENFORCED mode and every exception is a documented, deliberate decision — not whether the finding count is zero.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Cognito

Part of the learning path Lock down access

Enable Cognito threat protection

Cognito threat protection: the basics

Credential stuffing is the #1 attack vector

Enabling threat protection in action

Threat protection under the hooddeep dive

What is the impact of leaving threat protection off?

How do you enable threat protection safely?

1. Inventory the pool's current state and auth flows

2. Start in AUDIT mode and tune the action map

3. Flip to ENFORCED with compromised-credentials always BLOCK

4. Pair with MFA-required and WebAuthn for phishing-resistance

Quick quiz

Keep learning

Cognito threat protection: what it costs and what it buys

Credential stuffing is the #1 attack vector

How a finance partner frames the Cognito threat-protection decision

What the risk register should say about an unprotected Cognito pool

What finance can actually do about Cognito.3 and Cognito.4

1. Model the per-pool cost before the review

2. Compare the premium to the incident cost, not to zero

3. Require a documented justification for any exception

4. Track the finding count and per-MAU cost on the security-and-cost review

Quick quiz

Keep learning

Cognito threat protection: the headline

Credential stuffing is the #1 attack vector

What good looks like for Cognito threat protection at the leadership level

Why this finding is on the executive dashboard at all

The leadership move on Cognito threat protection

1. Set the default: customer-facing pools run in ENFORCED mode

2. Accept AUDIT as a temporary tuning step, not a resting state

3. Ask one question at the leadership review

Quick quiz

Keep learning

Controls this lesson covers

Cognito

Related compliance lessons