fix(cognito): remove overly strict validation for threat protection on non-PLUS plans#36027
Merged
mergify[bot] merged 3 commits intoaws:mainfrom Nov 14, 2025
Conversation
- Remove runtime validation of feature plan requirements for threat protection - Allow CloudFormation to handle validation of threat protection settings - Update test cases to generate CloudFormation templates instead of throwing errors - Preserve existing behavior for user pools with grandfathered configurations - Improve flexibility for user pool configuration across different feature plans This change allows more flexible configuration of Cognito User Pool threat protection settings during CDK synthesis, deferring strict validation to CloudFormation deployment time.
- Remove feature plan validation statement for Threat Protection - Add clarifying note about feature plan requirements for new user pools - Improve documentation readability for Threat Protection section - Explain CDK and CloudFormation behavior for threat protection configuration
github-actions
bot
added
bug
aws-cdk-automation
previously requested changes
Nov 12, 2025
Contributor
Author
|
Exemption Request - remove synth-time validations. No integ tests update required. |
aws-cdk-automation
added
the
pr-linter/exemption-requested
leonmk-aws
approved these changes
Nov 12, 2025
leonmk-aws
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Contributor
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #36023.
Reason for this change
CDK v2.181.0 introduced validation that blocks deployments of existing Cognito User Pools with threat protection enabled on LITE feature plans. This validation incorrectly assumes all user pools must follow current AWS requirements, but existing user pools on LITE plans are grandfathered and can legitimately use threat protection. This regression prevents users from upgrading CDK beyond v2.160.0.
Description of changes
Removed two CDK-level validation blocks in
UserPoolconstruct that incorrectly rejected threat protection configurations on non-PLUS feature plans:advancedSecurityMode(deprecated property) on LITE/ESSENTIALS plansstandardThreatProtectionModeandcustomThreatProtectionModeon LITE/ESSENTIALS plansRationale: CDK cannot determine the actual feature plan of existing user pools at synthesis time. CloudFormation validates feature plan requirements at deployment time, which correctly allows grandfathered user pools to continue working while still catching invalid configurations for new resources.
Describe any new or updated permissions being added
N/A - No IAM permissions or resource access changes.
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license