Checking for compromised credentials - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Checking for compromised credentials

Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks local users who sign in with username and password, in the hosted UI and with the Amazon Cognito API. A local user exists exclusively in your user pool directory without federation through an external IdP.

From Advanced security in the App integration tab of the Amazon Cognito console, you can configure Compromised credentials. Configure Event detection to choose the user events that you want to monitor for compromised credentials. Configure Compromised credentials responses to choose whether to allow or block the user if compromised credentials are detected. Amazon Cognito can check for compromised credentials during sign-in, sign-up, and password changes.

When you choose Allow sign-in, you can review Amazon CloudWatch Logs to monitor the evaluations that Amazon Cognito makes on user events. For more information, see Viewing advanced security metrics. When you choose Block sign-in, Amazon Cognito prevents sign-in by users who use compromised credentials. When Amazon Cognito blocks sign-in for a user, it sets the user's UserStatus to RESET_REQUIRED. A user with a RESET_REQUIRED status must change their password before they can sign in again.


Currently, Amazon Cognito doesn't check for compromised credentials for sign-in operations with Secure Remote Password (SRP) flow. SRP sends a hashed proof of password during sign-in. Amazon Cognito doesn't have access to passwords internally, so it can only evaluate a password that your client passes to it in plaintext.

Amazon Cognito checks sign-ins that use the AdminInitiateAuth API with ADMIN_USER_PASSWORD_AUTH flow, and the InitiateAuth API with USER_PASSWORD_AUTH flow, for compromised credentials.

To add compromised credentials protections to your user pool, see Adding advanced security to a user pool.