Control: Cognito user pool password policy should meet requirements
Description
Checks if the password policy for Amazon Cognito user pool meets the specified requirements. The rule is non-compliant if the user pool password policy does not meet the specified requirements.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cognito_user_pool_password_policy_with_strong_configurationSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cognito_user_pool_password_policy_with_strong_configuration --shareSQL
This control uses a named query:
select id as resource, case when policies -> 'PasswordPolicy' is null then 'alarm' when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int >= 8 and coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) <= 7 then 'ok' else 'alarm' end as status, case when policies -> 'PasswordPolicy' is null then title || ' password policy not configured.' when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int >= 8 and coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) <= 7 then title || ' strong password policy configured.' else title || ' password policy ' || concat_ws(', ', case when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int < 8 then ('minimum password length set to ' || ((policies -> 'PasswordPolicy' -> 'MinimumLength')::int)::text) end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) then 'lowercase characters not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) then 'uppercase characters not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) then 'numbers not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) then 'symbols not required' end, case when coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) > 7 then ('temporary password validity set to ' || ((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int)::text || ' days') end ) || '.' end as reason , region, account_idfrom aws_cognito_user_pool;