For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cognito-userpool-without-mfa.md. A documentation index is available at /llms.txt.

Cognito user pool without MFA

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-cognito-userpool-without-mfa

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

Cognito User Pools must enable or allow multi-factor authentication (MFA) to protect user accounts from compromised credentials and reduce the risk of account takeover and unauthorized access. The MfaConfiguration property in AWS::Cognito::UserPool must be defined and set to ON (enforce MFA for all users) or OPTIONAL (allow users to enable MFA). Resources that omit MfaConfiguration or set it to OFF will be flagged. When enabling or allowing MFA, also configure an MFA provider such as SoftwareTokenMfaConfiguration or SmsConfiguration so MFA can operate correctly.

Secure configuration example (CloudFormation YAML):

MyUserPool:
  Type: AWS::Cognito::UserPool
  Properties:
    UserPoolName: my-user-pool
    MfaConfiguration: ON
    SoftwareTokenMfaConfiguration:
      Enabled: true

Compliant Code Examples

Resources:
  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "ON"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
  UserPool2:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "OPTIONAL"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn

{
  "Resources": {
    "UserPool": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "ON",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    },
    "UserPool2": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "OPTIONAL",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  UserPool2:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "OFF"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
  UserPool4:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn

{
  "Resources": {
    "UserPool2": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "OFF",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    },
    "UserPool4": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        },
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ]
      }
    }
  }
}