AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-07 · Documentation low

File: securityhub/latest/userguide/cognito-controls.md

Summary

Updated documentation for Amazon Cognito threat protection controls, clarifying enforcement modes and standard authentication requirements.

Security assessment

The changes clarify security-related configurations (threat protection enforcement modes) but do not address a specific security vulnerability. The updates improve documentation accuracy for existing security features.

Diff

diff --git a/securityhub/latest/userguide/cognito-controls.md b/securityhub/latest/userguide/cognito-controls.md
index c6738ef15..228ebb2e6 100644
--- a//securityhub/latest/userguide/cognito-controls.md
+++ b//securityhub/latest/userguide/cognito-controls.md
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the Amazon Cognito service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+This AWS Security Hub control evaluates the Amazon Cognito service and resources. The control might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -29 +27 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-`SecurityMode` |  The threat protection enforcement mode that the control checks for |  String |  `AUDIT`, `ENFORCED` |  `ENFORCED`  
+`SecurityMode` |  The threat protection enforcement mode that the control checks for. |  String |  `AUDIT`, `ENFORCED` |  `ENFORCED`  
@@ -31 +29 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va
-This control checks whether an Amazon Cognito user pool has threat protection activated with the enforcement mode set to full function. The control fails if the user pool has threat protection deactivated or if the enforcement mode isn't set to full function. Unless you provide custom parameter values, Security Hub uses the default value of `ENFORCED` for enforcement mode set to full function.
+This control checks whether an Amazon Cognito user pool has threat protection activated with the enforcement mode set to full function for standard authentication. The control fails if the user pool has threat protection deactivated or if the enforcement mode isn't set to full function for standard authentication. Unless you provide custom parameter values, Security Hub uses the default value of `ENFORCED` for enforcement mode set to full function for standard authentication.
@@ -33 +31 @@ This control checks whether an Amazon Cognito user pool has threat protection ac
-After you create a Cognito user pool, you can activate threat protection and customize the actions that are taken in response to different risks. Or, you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, threat protection publishes metrics to Amazon CloudWatch. You can see metrics after Cognito generates its first event.
+After you create an Amazon Cognito user pool, you can activate threat protection and customize the actions that are taken in response to different risks. Or, you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, threat protection publishes metrics to Amazon CloudWatch. You can see metrics after Amazon Cognito generates its first event.
@@ -37 +35 @@ After you create a Cognito user pool, you can activate threat protection and cus
-To activate threat protection for a Cognito user pool, see [Advanced security with threat protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) in the _Amazon Cognito Developer Guide_.
+For information about activating threat protection for an Amazon Cognito user pool, see [Advanced security with threat protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) in the _Amazon Cognito Developer Guide_.