Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito User Pool Error AwsSolutions-COG3

See original GitHub issue

General Issue

My stack adds “AdvancedSecurityMode” : “ENFORCED” but cdk-nag raises Error

The Question

I am running CDK 2.41.0 (build 6ad48a3) on Windows 10 using Python 3.9.12. I am deploying a Cognito User Pool. Since CDK apparently does not support “AdvancedSecurityMode”, I used the Cloud Formation “escape hatch” to add it to my User Pool.

        user_pool.node.default_child.add_property_override(
            'UserPoolAddOns.AdvancedSecurityMode',
            'ENFORCED'
        )

When I deploy my stack, I can see in the AWS Console that my User Pool does have “AdvancedSecurityMode” enabled. But cdk-nag doesn’t see it. The output is:

[Error at /Cognito-test-ech/CognitoUserPool/Resource] AwsSolutions-COG3: The Cognito user pool does not have AdvancedSecurityMode set to ENFORCED.

I am not clear on how cdk-nag introspects my stack, so I didn’t open a Bug, but I need help understanding if this is a bug or not.

cdk-nag version

“2.18.12”

Language

Python

Other information

No response

Issue Analytics

State:
Created a year ago
Comments:5

Top GitHub Comments

1reaction

jrobbins-LiveDatacommented, Sep 16, 2022

I understand. I guess I was initially surprised that cdk-nag would raise an error about a resource setting that CDK doesn’t allow one to set. But, it is definitely better to know about it in order to do something about it! Thanks for explaining!

0reactions

jrobbins-LiveDatacommented, Sep 17, 2022

I initially thought that cdk-nag would tell me I hadn’t set the right property using CDK, and so I was surprised to getting “nagged” about something that CDK doesn’t let me (directly) fix. But it all makes sense, as I know CDK is a work-in-progress. I’m glad the rules are independent of what’s easy to do with CDK, because we want to make our app secure, and need to know. Thanks again!

Top Results From Across the Web

Managing error responses - Amazon Cognito

Amazon Cognito supports customizing error responses returned by user pools. Custom error responses are available for user creation and authentication, ...

AWS Cognito user pool signup "Unknown error, the response ...

In request to cognito-idp.us-west-2.amazonaws.com the header X-Amz-User-Agent: aws-amplify/0.1.x js is passed, but i don't use Amplify. Maybe ...

Cannot perform specific action because there does not exist a ...

I created a subdomain in the Cognito config and and the user pool error went away but then I got a InvalidParameterException: The...

amazon-cognito-identity-js - npm

Your User Pool in Amazon Cognito is a fully managed user ... Note that the various errors returned by the service are valid...

Use an existing Cognito User Pool and Identity Pool

Configure the Amplify CLI to use existing Amazon Cognito User Pool and Identity Pool resources as an authentication & authorization mechanism for other ......