Cognito User Pool: CDK Version update blocking existing user pools threat protection

[HeikoMR]

Describe the bug

Hello,

We have existing userpools that use advancedSecurityMode: cognito.AdvancedSecurityMode.AUDIT, wich is deprecated with the new version, but the main point is that cdk is blocking the deployment because of a validation error:

ValidationError: you cannot enable Threat Protection when feature plan is not Plus

This should not be there for existing deployments, since they still can use the threat protection while using just the default lite protection plan.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

2.160.0

Expected Behavior

I should be able to do a cdk diff & deploy without getting blocked by a Validation Error that only counts for new deployments

Current Behavior

I get a validation error during a cdk diff:
ValidationError: you cannot enable Threat Protection when feature plan is not Plus

Even though my userpool is old and is not actually affected by this.

Reproduction Steps

Use version v2.223.0
Have an existing userpool that is older than one year and has an advancedSecurityMode attribute set.

const pool = new cognito.UserPool(this, `xyz`, {
      userPoolName: 'xyz',
      advancedSecurityMode: cognito.AdvancedSecurityMode.AUDIT,
      .....

Possible Solution

Remove the validation on cdk level and let the error be handled by aws cloudformation during deployment.

Additional Information/Context

New user pools start in essential feature plan and can upgrade to plus.
Existing user pools are using a lite plan and can upgrade either to essentials or plus plan ( atleast in our case). Additionally our existing 1+ year old user pools that run in light plan can use the threat protection without problems.

AWS CDK Library version (aws-cdk-lib)

2.223.0

AWS CDK CLI version

2.1031.2

Node.js Version

24.10.0

OS

MacOs Tahoe 26.0.1

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Documentation Evidence

From AWS Cognito Pricing - Lite tier section:

│ **Note: Customers with existing user pools created on or before 10:00am Pacific Time, November 22, 2024 will continue having a free tier of first 50,000 MAUs. Advanced
Security Features (ASF) will continue to be priced separately and will not have a free tier, just like it has been priced previously.**

And from the ASF pricing section:

│ **Advanced Security Features**
│
│ If you enable advanced security features for Amazon Cognito, additional prices apply for monthly active users as shown in the table below. This includes audit mode. ASF
pricing is the same as the pricing was listed before November 22, 2024.
│
│ Advanced security features include compromised credentials detection, adaptive authentication, advanced security metrics, and access token customization.

And the example:

│ **Example 2: Your user pool is configured with Amazon Cognito Lite as pricing tier with ASF enabled**
│
│ If your Cognito user pool has 950,000 MAUs and all MAUs sign-in directly or via social identity providers, then your monthly bill will be computed as follows:
│ - Cognito Lite MAU cost (monthly): $4,405
│ - Advanced security feature cost (monthly): $21,250
│ - Total: $25,655

Key Findings:

1. LITE tier CAN have Advanced Security Features (ASF) - it's an add-on that's priced separately
2. Legacy user pools (created before Nov 22, 2024) on LITE can keep ASF enabled
3. ASF on LITE is the old pricing model - separate from the tier pricing
4. The new PLUS tier includes ASF in the base price (no separate charge)

This explains the user's situation:
• Their 1+ year old user pool is on LITE plan
• They have ASF (Advanced Security Mode: AUDIT) enabled as a separate add-on
• This is a valid, supported configuration in AWS
• CDK v2.223.0 incorrectly blocks this because it assumes threat protection requires PLUS tier

The CDK validation is wrong because it doesn't account for the legacy ASF add-on model on LITE tier.

Why Remove the Validation:

1. CDK cannot determine the actual state - It doesn't know if:
   • User pool is new (requires PLUS for threat protection)
   • User pool is legacy with ASF add-on (LITE + ASF is valid)
   • User pool already exists in AWS with this configuration

2. CloudFormation has the context - The service knows:
   • Whether the user pool exists
   • What plan it's on
   • Whether the configuration change is valid
   • Legacy vs new pricing models

3. False positives block valid deployments - Current validation prevents managing existing, working resources

4. Follows CDK best practices - From the issue:

Remove the validation on cdk level and let the error be handled by aws cloudformation during deployment.

Recommended Fix:

Remove these validation blocks from user-pool.ts:

// Lines 1387-1392 - Remove this
if (
  props.featurePlan !== FeaturePlan.PLUS &&
  (props.advancedSecurityMode && (props.advancedSecurityMode !== AdvancedSecurityMode.OFF))
) {
  throw new ValidationError('you cannot enable Advanced Security when feature plan is not Plus.', this);
}

// Lines 1395-1401 - Remove this
if (
  (props.featurePlan !== FeaturePlan.PLUS) &&
  (props.standardThreatProtectionMode && (props.standardThreatProtectionMode !== StandardThreatProtectionMode.NO_ENFORCEMENT) ||
  advancedSecurityAdditionalFlows)
) {
  throw new ValidationError('you cannot enable Threat Protection when feature plan is not Plus.', this);
}

Let CloudFormation return the appropriate error if the configuration is truly invalid for new user pools.

Follow up

Making this a p1 and I'll submit an immediate PR today.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.