Cognito Advanced Security Password Check

Question

Our application's backend uses Cognito's admin_create_user followed by admin_set_user_password (in our case Python/Boto3) to create a user in Cognito. Cognito is not directly called from the Frontend, since we have some additional logic around user creation, therefore we are using the admin_... endpoints.

However, it seems that using admin_set_user_password to set the initial user password during registration does not trigger the Advanced Security password check? Changing the user's password afterwards to an insecure value triggers the password check and blocks the change successfully.

Is this actually the case? I was not able to find a concrete statement in the docs.

Answer

Using admin_set_user_password ([AdminSetUserPassword API](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html)) sets the specified user's password in a user pool as an administrator so no password authentication is required. To check for compromised credentials using Advanced Security, Amazon Cognito checks sign-ins that use the AdminInitiateAuth API with ADMIN_USER_PASSWORD_AUTH flow, and the InitiateAuth API with USER_PASSWORD_AUTH flow, for compromised credentials.

Amazon Cognito doesn't have access to passwords internally, so it can only evaluate a password that your client passes to it in plaintext.

See details here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html

However, consider creating a temporary password when creating a new user using [admin_create_user](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html) unless your application backend logic requires a setting a password after a new user is created. You can specify a temporary password or have Amazon Cognito generate one for you if you don't specify a value when creating a new user.

Cognito Advanced Security Password Check

Relevant content