AWS recently introduced deletion protection for Amazon Cognito. This is mainly useful if you are using the DeleteUserPool API as it immediately deleted a user pool in the past, even production resources. Deletion protection is automatically enabled for all new user pools by default. For existing user pools you need to change the configuration and activate it manually or via the API.

Enjoy this article? Subscribe to receive the latest news about cloud security here 📫

If you are trying to delete a user pool via the console or API, you will be prompted to deactivate the deletion protection first.

[[email protected] ~]$ aws cognito-idp delete-user-pool --user-pool-id us-east-2_e91EiIOuP

An error occurred (InvalidParameterException) when calling the DeleteUserPool operation: The user pool cannot be deleted because deletion protection is activated. Deletion protection must be inactivated first.

Disable/Activate Cognito deletion protection

If you need to disable or activate the deletion protection you can use the AWS Command Line Interface (CLI) or AWS SDK.

For the AWS CLI, you need to use the update-user-pool command with the arguments --user-pool-id and --deletion-protection and a value of ACTIVE or INACTIVE.

aws cognito-idp update-user-pool --user-pool-id us-east-2_e91EiIOuP --deletion-protection INACTIVE --auto-verified-attributes email

If you are using the AWS SDK, we need to create a new cognito-idp client and then call the update_user_pool function. You pass the UserPoolId and DeletionProtection , the value can be 'ACTIVE' or 'INACTIVE' again.

import boto3

client = boto3.client('cognito-idp')

def lambda_handler(event, context):
    response = client.update_user_pool(
        AutoVerifiedAttributes: ["email"]

    return response


Make sure your AWS CLI and SDK are updated to the most recent version.


alexanderhose:~/ $ curl "" -o ""
alexanderhose:~/ $ unzip
alexanderhose:~/ $ sudo ./aws/install


alexanderhose:~/ $ pip install boto3
Share this post