Amazon Cognito
Developer Guide

Compromised Credentials Protections

Your users may reuse the same credentials (i.e., username and password) for multiple websites and apps. If those reused credentials are stolen through website breaches and malware, they can become available on the internet, and criminals could try them at other locations. Our protections detect if a user’s credentials have been compromised elsewhere and blocks their use in Amazon Cognito User Pools. Users will be asked to choose another password if they try to use compromised credentials.

In the Advanced security tab, you can choose whether Amazon Cognito checks for compromised credentials during sign-in, sign-up, and password changes.

Presently, Amazon Cognito does not check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow, which does not send the password during sign-in. Sign-ins using the AdminInitiateAuth API with the ADMIN_NO_SRP_AUTH flow are checked for compromised credentials.

You can also choose whether to allow or block the user if compromised credentials are detected. Blocking will require users to choose another password. Choosing Allow will still publish all attempted uses of compromised credentials to Amazon CloudWatch. For more information, see Viewing Advanced Security Metrics.