AWS recently introduced deletion protection for Amazon Cognito. This is mainly useful if you are using the
DeleteUserPool API as it immediately deleted a user pool in the past, even production resources. Deletion protection is automatically enabled for all new user pools by default. For existing user pools you need to change the configuration and activate it manually or via the API.
Enjoy this article? Subscribe to receive the latest news about cloud security here 📫
If you are trying to delete a user pool via the console or API, you will be prompted to deactivate the deletion protection first.
[[email protected] ~]$ aws cognito-idp delete-user-pool --user-pool-id us-east-2_e91EiIOuP An error occurred (InvalidParameterException) when calling the DeleteUserPool operation: The user pool cannot be deleted because deletion protection is activated. Deletion protection must be inactivated first.
Disable/Activate Cognito deletion protection
If you need to disable or activate the deletion protection you can use the AWS Command Line Interface (CLI) or AWS SDK.
For the AWS CLI, you need to use the update-user-pool command with the arguments
--deletion-protection and a value of
aws cognito-idp update-user-pool --user-pool-id us-east-2_e91EiIOuP --deletion-protection INACTIVE --auto-verified-attributes email
If you are using the AWS SDK, we need to create a new
cognito-idp client and then call the
update_user_pool function. You pass the
DeletionProtection , the value can be
import boto3 client = boto3.client('cognito-idp') def lambda_handler(event, context): response = client.update_user_pool( UserPoolId='us-east-2_e91EiIOuP', DeletionProtection='INACTIVE', AutoVerifiedAttributes: ["email"] ) return response
Make sure your AWS CLI and SDK are updated to the most recent version.
alexanderhose:~/ $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" alexanderhose:~/ $ unzip awscliv2.zip alexanderhose:~/ $ sudo ./aws/install
alexanderhose:~/ $ pip install boto3