Well Architected cognito user pool

Default Configuration

Account Recovery: Email MFA required: True Self Signup enabled: True Removal Policy: Retain in Production Generated password validity: One day in production

Default Alarms

  1. SignUp Throttle Alarm
    • Risk Level: High
    • Well Architected Pillar: Reliability, Performance

Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.


Default Usage

new WaUserPool(this, "LogicalId", {});

Custom Configuration

new WaUserPool(this, "LogicalId", {
accountRecovery: cognito.AccountRecovery.EMAIL_ONLY


It addresses the following compliance requirements

  1. MFA required by default
    • Risk Level: High
    • Compliance: NIST4
    • Well Architected Pillar: Security
  2. Device tracking
    • Risk Level: Medium
    • Compliance: APRA, MAS, NIST4
    • Well Architected Pillar: Security
  3. Strict password policy
    • Risk Level: High
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security


  • UserPool
    • WaUserPool



alarms: Alarms = ...

All the default alarms configured for the Well Architected UserPool. You can add more alarms or delete default alarms from this Alarms object


  • Returns void

  • Parameters

    Returns undefined | {
        joined_on: DateTimeAttribute;
        role: StringAttribute;

Generated using TypeDoc