Security Hub controls for Amazon Cognito
These AWS Security Hub controls evaluate the Amazon Cognito service and resources. The controls might not be available in all AWS Regions. For more information, see Availability of controls by Region.
[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication
Category: Protect > Secure access management
Severity: Medium
Resource type:
AWS::Cognito::UserPool
AWS Config rule: cognito-user-pool-advanced-security-enabled
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
|
|
The threat protection enforcement mode that the control checks for. |
String |
|
|
This control checks whether an Amazon Cognito user pool has threat protection activated with
the enforcement mode set to full function for standard authentication. The control fails
if the user pool has threat protection deactivated or if the enforcement mode isn't set
to full function for standard authentication. Unless you provide custom parameter
values, Security Hub uses the default value of ENFORCED for enforcement mode set
to full function for standard authentication.
After you create an Amazon Cognito user pool, you can activate threat protection and customize the actions that are taken in response to different risks. Or, you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, threat protection publishes metrics to Amazon CloudWatch. You can see metrics after Amazon Cognito generates its first event.
Remediation
For information about activating threat protection for an Amazon Cognito user pool, see Advanced security with threat protection in the Amazon Cognito Developer Guide.
[Cognito.2] Cognito identity pools should not allow unauthenticated identities
Category: Protect > Secure access management > Passwordless authentication
Severity: Medium
Resource type:
AWS::Cognito::IdentityPool
AWS Config rule: cognito-identity-pool-unauth-access-check
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon Cognito identity pool is configured to allow
unauthenticated identities. The control fails if guest access is activated (the
AllowUnauthenticatedIdentities parameter is set to true)
for the identity pool.
If an Amazon Cognito identity pool allows unauthenticated identities, the identity pool provides temporary AWS credentials to users who haven't authenticated through an identity provider (guests). This creates security risks because it allows anonymous access to AWS resources. If you deactivate guest access, you can help ensure that only properly authenticated users can access your AWS resources, which reduces the risk of unauthorized access and potential security breaches. As a best practice, an identity pool should require authentication through supported identity providers. If unauthenticated access is necessary, it's important to carefully restrict permissions for unauthenticated identities, and regularly review and monitor their usage.
Remediation
For information about deactivating guest access for an Amazon Cognito identity pool, see Activate or deactivate guest access in the Amazon Cognito Developer Guide.
