Checking for compromised credentials - Amazon Cognito

Checking for compromised credentials

Amazon Cognito can detect if a user's user name and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks native users who sign in with user name and password, in the hosted UI and with the Amazon Cognito API. Native users are users who you created or who signed up in the Amazon Cognito directory without a federated identity provider (IdP).

From Advanced security in the App integration tab of the Amazon Cognito console, you can configure Compromised credentials. Configure Event detection to choose the user events that you want to monitor for compromised credentials. Configure Compromised credentials responses to choose whether to allow or block the user if compromised credentials are detected. Amazon Cognito can check for compromised credentials during sign-in, sign-up, and password changes.

When you choose Allow sign-in, you can review Amazon CloudWatch Logs to monitor the evaluations that Amazon Cognito makes on user events. For more information, see Viewing advanced security metrics. When you choose Block sign-in, Amazon Cognito prevents sign-in by users who use compromised credentials. When Amazon Cognito blocks sign-in for a user, it sets the user's UserStatus to RESET_REQUIRED. A user with a RESET_REQUIRED status must change their password before they can sign in again.


Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow, which doesn't send the password during sign-in. Amazon Cognito checks sign-ins that use the AdminInitiateAuth API with ADMIN_USER_PASSWORD_AUTH flow, and the InitiateAuth API with USER_PASSWORD_AUTH flow, for compromised credentials.

To add compromised credentials protections to your user pool, see Adding advanced security to a user pool.