--- title: Cognito user pool without MFA description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cognito user pool without MFA --- # Cognito user pool without MFA {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ec28bf61-a474-4dbe-b414-6dd3a067d6f0` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) ### Description{% #description %} AWS Cognito user pools should have Multi-Factor Authentication (MFA) enabled to enhance the security of user accounts. If the `mfa_configuration` attribute is set to `"OFF"` or left undefined, as in the following example, users are only required to use a single authentication factor, making their accounts more susceptible to unauthorized access if credentials are compromised. ``` resource "aws_cognito_user_pool" "example" { mfa_configuration = "OFF" // ... other configuration ... } ``` Enabling MFA (for example, `mfa_configuration = "ON"` or `"OPTIONAL"`) significantly reduces the risk of account takeover by requiring an additional authentication factor. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cognito_user_pool" "negative1" { # ... other configuration ... mfa_configuration = "ON" sms_authentication_message = "Your code is {####}" sms_configuration { external_id = "example" sns_caller_arn = aws_iam_role.example.arn } } resource "aws_cognito_user_pool" "negative2" { # ... other configuration ... mfa_configuration = "OPTIONAL" sms_authentication_message = "Your code is {####}" software_token_mfa_configuration { enabled = true } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_cognito_user_pool" "positive1" { # ... other configuration ... sms_authentication_message = "Your code is {####}" sms_configuration { external_id = "example" sns_caller_arn = aws_iam_role.example.arn } software_token_mfa_configuration { enabled = true } } resource "aws_cognito_user_pool" "positive2" { # ... other configuration ... mfa_configuration = "OFF" sms_authentication_message = "Your code is {####}" sms_configuration { external_id = "example" sns_caller_arn = aws_iam_role.example.arn } software_token_mfa_configuration { enabled = true } } resource "aws_cognito_user_pool" "positive3" { # ... other configuration ... mfa_configuration = "ON" sms_authentication_message = "Your code is {####}" } ```