Cognito UserPool Without MFA
- Query id: 74a18d1a-cf02-4a31-8791-ed0967ad7fdc
- Query name: Cognito UserPool Without MFA
- Platform: CloudFormation
- Severity: Medium
- Category: Best Practices
- URL: Github
Description¶
AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
UserPool2:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- phone_number
MfaConfiguration: "OFF"
SmsConfiguration:
ExternalId: !Sub ${AuthName}-external
SnsCallerArn: !GetAtt SNSRole.Arn
UserPool4:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- phone_number
SmsConfiguration:
ExternalId: !Sub ${AuthName}-external
SnsCallerArn: !GetAtt SNSRole.Arn
Positive test num. 2 - json file
{
"Resources": {
"UserPool2": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"UserPoolName": "${AuthName}-user-pool",
"AutoVerifiedAttributes": [
"phone_number"
],
"MfaConfiguration": "OFF",
"SmsConfiguration": {
"ExternalId": "${AuthName}-external",
"SnsCallerArn": "SNSRole.Arn"
}
}
},
"UserPool4": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"SmsConfiguration": {
"ExternalId": "${AuthName}-external",
"SnsCallerArn": "SNSRole.Arn"
},
"UserPoolName": "${AuthName}-user-pool",
"AutoVerifiedAttributes": [
"phone_number"
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- phone_number
MfaConfiguration: "ON"
SmsConfiguration:
ExternalId: !Sub ${AuthName}-external
SnsCallerArn: !GetAtt SNSRole.Arn
UserPool2:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- phone_number
MfaConfiguration: "OPTIONAL"
SmsConfiguration:
ExternalId: !Sub ${AuthName}-external
SnsCallerArn: !GetAtt SNSRole.Arn
Negative test num. 2 - json file
{
"Resources": {
"UserPool": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"UserPoolName": "${AuthName}-user-pool",
"AutoVerifiedAttributes": [
"phone_number"
],
"MfaConfiguration": "ON",
"SmsConfiguration": {
"ExternalId": "${AuthName}-external",
"SnsCallerArn": "SNSRole.Arn"
}
}
},
"UserPool2": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"UserPoolName": "${AuthName}-user-pool",
"AutoVerifiedAttributes": [
"phone_number"
],
"MfaConfiguration": "OPTIONAL",
"SmsConfiguration": {
"ExternalId": "${AuthName}-external",
"SnsCallerArn": "SNSRole.Arn"
}
}
}
}
}