AWS Cognito User Pools should utilise Delete Protection to avoid accidental deletion
AWS Cognito is an identity platform-as-a-service that offers identity management functionality for applications and services. This includes user management, user attribute storage and preformatted user workflows such as self-service operations. It is a comprehensive service that may be considered as an alternative to full identity platform software suites like ForgeRock, Okta and others.
The data managed by AWS Cognito is incredibly important, as it contains not only customer data but also customer-provided information such as email addresses, personal attributes and password hashes. Password hashes, in particular, are irreversible, meaning that if a customer’s password hash is lost, the customer must provide the data directly requiring action from customers that they may not be obligated to provide. This process adds friction to the customer journey and can result in lost customers and lost data.
Given this, it is vital to ensure that Cognito data is resilient and cannot be accidentally deleted. Accidental deletions can occur through a simple, misguided command or a misconfigured software pipeline. To mitigate this risk, AWS Cognito has delete protection available for Cognito User Pools, which requires an additional explicit call to remove delete protection before actually deleting a User Pool. This process creates a trackable API call before any deletion occurs. Consequently, organisations can implement explicit policies at the AWS API level to prevent unauthorised deletions, thereby ensuring that a User Pool cannot be deleted without proper gating and process adherence.
Another critical aspect of this is preventing automated tools, like CI/CD pipelines, from being able to remove delete protection. This can be done by specifically blocking CI/CD entities from being able to perform actions like remove Delete Protections.
Remediating this issue is straightforward: simply enable delete protection on your User Pools. While it may require significant manual effort to review each User Pool and ensure delete protection is enabled, it is a highly recommended practise for safeguarding your customer data.
SkySiege customers benefit from immediate detection of User Pools that are marked as deletable. This information is highlighted in their Cloud Assessment report delievered the same day.
Additionally, SkySiege for Organisations customers provide IAM policies that can be enforced across the entire organisation, requiring additional privileged access for any deletions to occur. This includes policy statements specifically made for automated pipelines, ensuring that service entities cannot remove delete protection nor perform other actions that a pipeline shouldn’t be engaging in such as rotating or deleting IAM Access Keys, removing S3 Public Access Blocks and more.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.
