Cognito UserPool Without MFA
- Query id: ec28bf61-a474-4dbe-b414-6dd3a067d6f0
- Query name: Cognito UserPool Without MFA
- Platform: Terraform
- Severity: Medium
- Category: Best Practices
- URL: Github
Description¶
AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "aws_cognito_user_pool" "positive1" {
# ... other configuration ...
sms_authentication_message = "Your code is {####}"
sms_configuration {
external_id = "example"
sns_caller_arn = aws_iam_role.example.arn
}
software_token_mfa_configuration {
enabled = true
}
}
resource "aws_cognito_user_pool" "positive2" {
# ... other configuration ...
mfa_configuration = "OFF"
sms_authentication_message = "Your code is {####}"
sms_configuration {
external_id = "example"
sns_caller_arn = aws_iam_role.example.arn
}
software_token_mfa_configuration {
enabled = true
}
}
resource "aws_cognito_user_pool" "positive3" {
# ... other configuration ...
mfa_configuration = "ON"
sms_authentication_message = "Your code is {####}"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_cognito_user_pool" "negative1" {
# ... other configuration ...
mfa_configuration = "ON"
sms_authentication_message = "Your code is {####}"
sms_configuration {
external_id = "example"
sns_caller_arn = aws_iam_role.example.arn
}
}
resource "aws_cognito_user_pool" "negative2" {
# ... other configuration ...
mfa_configuration = "OPTIONAL"
sms_authentication_message = "Your code is {####}"
software_token_mfa_configuration {
enabled = true
}
}