AWS Config Rule: Cognito User Pool Deletion Protection
COGNITO_USER_POOL_DELETION_PROTECTION
Eduardo Van Cauteren
Last Update één jaar geleden
Description: Checks whether Amazon Cognito User Pools have Deletion Protection ACTIVE. The rule is NON_COMPLIANT if the resource has Deletion Protection INACTIVE.
Trigger type: Periodic
AWS Region: All supported AWS regions
How to Resolve Manually
This config rule checks whether you have Deletion protection enabled for a particular User Pool. The rule will be marked as non-compliant if a pool is found with Deletion protection option disabled.
Since this rule is triggered periodically, you can adjust how often the rule evaluation should occur and you can also specify user pools you want to exempt from being checked. The following image illustrates this two cases:
In order to resolve this, you need to check the current deletion protection status of a pool. Head to AWS Console, go to Amazon Cognito service and click on User pools. Then click on the name of the desired User Pool and finally click on the User pool properties tab.
Scroll down until you found the Deletion protection card and click on Activate button to enable the protection. Check the following screenshot as reference:
How to Resolve with StackZone
You can also resolve the resource compliance with StackZone by enabling the remediation Amazon Cognito UserPool Deletion Protection. This will auto remediate any non-compliant instances from this config rule.
To activate this, head on over to Provisioning -> Baseline Services -> Config Rules Regional -> Amazon Cognito and enable Amazon Cognito UserPool Deletion Protection Remediation.
Note that the remediation will be applied according to the Maximum Execution Frequency you have defined for the rule and will ignore the exempted pools.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
