Back to All Checks
Medium Cognito Regional

Cognito user pools should have threat protection with full enforcement enabled

FSBP

Description

This control checks whether an Amazon Cognito user pool has advanced security enabled with full enforcement. The control fails if advanced security is not enabled or if it's set to audit mode instead of enforcement mode. Advanced security provides additional protection against compromised credentials and account takeover attacks by analyzing sign-in attempts and blocking suspicious activity.

Remediation

Enable advanced security with full enforcement for your Cognito user pools to protect against compromised credentials and account takeover attacks.

Steps

  1. Navigate to the Amazon Cognito console
  2. Go to the User pools section
  3. Select the user pool that needs advanced security
  4. Go to the 'Sign-in experience' tab
  5. Scroll down to 'Advanced security' section
  6. Enable 'Advanced security features'
  7. Set the mode to 'Enforce' (not just 'Audit')
  8. Configure the risk-based adaptive authentication settings
  9. Save the changes
  10. Verify that advanced security is now enforced

Compliance

FSBP
Start Your Free Security Check