AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-07-25 · Documentation low

File: cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md

Summary

Expanded documentation on compromised credential checks to include specific user activities (sign-up, sign-in, password reset) and API operations involved in credential validation.

Security assessment

The changes clarify when compromised credential checks occur (e.g., during sign-up, password reset) and specify API operations involved. While this enhances documentation of a security feature (compromised credential detection), there is no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md b/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md
index 56c8441b5..4fc15fc44 100644
--- a//cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md
+++ b//cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.md
@@ -7 +7 @@
-Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks _local users_ who sign in with username and password, in managed login and with the Amazon Cognito API. A local user exists exclusively in your user pool directory without federation through an external IdP.
+Amazon Cognito can detect if a user's username and password have been compromised elsewhere. This can happen when users reuse credentials at more than one site, or when they use insecure passwords. Amazon Cognito checks [local users](./cognito-terms.html#terms-localuser) who sign in with username and password, in managed login and with the Amazon Cognito API.
@@ -13 +13,11 @@ When you choose **Allow sign-in** , you can review Amazon CloudWatch Logs to mon
-###### Note
+Compromised credentials can check passwords for the following user activity.
+
+**Sign-up**
+    
+
+Your user pool checks the passwords that users transmit in the [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html) operation and from the sign-up page of managed login for indicators of compromise.
+
+**Sign-in**
+    
+
+Your user pool checks passwords that users submit in password-based sign-in for indicators of compromise. Amazon Cognito can review the `ADMIN_USER_PASSWORD_AUTH` flow in [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), the `USER_PASSWORD_AUTH` flow in [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html), and the `PASSWORD` option of the `USER_AUTH` flow in both.
@@ -17 +27,6 @@ Currently, Amazon Cognito doesn't check for compromised credentials for sign-in
-Amazon Cognito checks sign-ins that use the [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html) API with `ADMIN_USER_PASSWORD_AUTH` flow, and the [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) API with `USER_PASSWORD_AUTH` flow, for compromised credentials.
+**Password reset**
+    
+
+Your user pool checks for indicators of compromise in operations that set new user passwords with the [ConfirmForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html) self-service password reset operation. The code that's required for this operation is generated by [ForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html) and [AdminResetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html).
+
+Compromised credentials doesn't check temporary or permanent administrator-set passwords set with [AdminSetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html). However, with temporary passwords, your user pool checks passwords from responses to the `NEW_PASSWORD_REQUIRED` challenge in [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) and [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html).