Is there a way to enforce password expiration policy on users in Amazon Cognito user pools?
The default setting is 7 days, measured from the time when an administrator or the user creates the account. The maximum setting is 365 days. After the account expires, the user can't log in to the account until you update the user's profile. To do this, update an attribute or resend the password to the user.
If a password expires, the IAM user can't sign in to the AWS Management Console but can continue to use their access keys. When you create or change a password policy, most of the password policy settings are enforced the next time your users change their passwords.
So, what happens when a password expires in Active Directory? The account will not be locked, but the user will have to change the password before they can access domain resources.
In the menu on the left, navigate to Computer Configuration>Windows Settings>Security Settings>Account Policies>Password Policy, and double-click “Maximum Password Age.” Change the value from “42” to your preferred length of days, and then click “OK” to save the setting.
It doesn't look like expiration is built into the password policy. You could track password expiration by adding a passwordUpdatedAt field and manually updating that attribute on user sign up and on changePassword. Then you could schedule something that queries users with expired passwords and call AdminResetUserPassword for those users. It would be somewhat more reliable if AWS published Cognito Userpoool User events like changePassword or just baked it into the service.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With