Detections
Analytics

Ensure 'password policy' is enabled - at least 1 lower case character

MEDIUM

Description

Weak and common passwords can be easily compromised by attackers. It is recommended that all users have at least 1 lowercase letter, 1 uppercase letter, 1 special character, and 1 number in their passwords. It is also recommended that users utilize a long password that does not contain repeating or common words or phrases. Passwords should be rotated regularly, and any temporary password should be set with a short lifespan.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the IAM console.
  2. Choose Account settings in the navigation pane.
  3. Select 'Change password policy' in the Password policy section.
  4. Select the password policy configuration.
  5. Select Save changes.

In Terraform -

  1. In the aws_cognito_user_pool, configure the password_policy block as needed.
  2. Best practice is to include minimum_length, require_lowercase, require_upppercase, require_numbers, and require_symbols.
  3. Set temporary_password_validity_days with a value of 90 days or less.
  4. Set minimum_length to 14 or greater.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool#password_policy

Policy Details

Rule Reference ID: AC_AWS_0044
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_cognito_user_pool
Resource Category: Identity and Access Management (IAM)
Resource Type: Cognito

Frameworks