Control: 3 Password policies for Cognito user pools should have strong configurations
Description
This control checks whether the password policy for an Amazon Cognito user pool requires the use of strong passwords, based on recommended settings for password policies. The control fails if the password policy for the user pool doesn't require strong passwords. You can optionally specify custom values for the policy settings that the control checks.
Strong passwords are a security best practice for Amazon Cognito user pools. Weak passwords can expose users' credentials to systems that guess passwords and try to access data. This is especially the case for applications that are open to the internet. Password policies are a central element of the security of user directories. By using a password policy, you can configure a user pool to require password complexity and other settings that comply with your security standards and requirements.
Remediation
For information about creating or updating the password policy for an Amazon Cognito user pool, see Adding user pool password requirements in the Amazon Cognito Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_cognito_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_cognito_3 --shareSQL
This control uses a named query:
select id as resource, case when policies -> 'PasswordPolicy' is null then 'alarm' when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int >= 8 and coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) <= 7 then 'ok' else 'alarm' end as status, case when policies -> 'PasswordPolicy' is null then title || ' password policy not configured.' when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int >= 8 and coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) = true and coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) <= 7 then title || ' strong password policy configured.' else title || ' password policy ' || concat_ws(', ', case when (policies -> 'PasswordPolicy' -> 'MinimumLength')::int < 8 then ('minimum password length set to ' || ((policies -> 'PasswordPolicy' -> 'MinimumLength')::int)::text) end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireLowercase')::boolean, false) then 'lowercase characters not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireUppercase')::boolean, false) then 'uppercase characters not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireNumbers')::boolean, false) then 'numbers not required' end, case when not coalesce((policies -> 'PasswordPolicy' -> 'RequireSymbols')::boolean, false) then 'symbols not required' end, case when coalesce((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int, 0) > 7 then ('temporary password validity set to ' || ((policies -> 'PasswordPolicy' -> 'TemporaryPasswordValidityDays')::int)::text || ' days') end ) || '.' end as reason , region, account_idfrom aws_cognito_user_pool;