Cognito UserPool Without MFA

  • Query id: 74a18d1a-cf02-4a31-8791-ed0967ad7fdc
  • Query name: Cognito UserPool Without MFA
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Best Practices
  • URL: Github

Description

AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  UserPool2:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "OFF"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
  UserPool4:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
Positive test num. 2 - json file
{
  "Resources": {
    "UserPool2": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "OFF",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    },
    "UserPool4": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        },
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "ON"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
  UserPool2:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      AutoVerifiedAttributes:
        - phone_number
      MfaConfiguration: "OPTIONAL"
      SmsConfiguration:
        ExternalId: !Sub ${AuthName}-external
        SnsCallerArn: !GetAtt SNSRole.Arn
Negative test num. 2 - json file
{
  "Resources": {
    "UserPool": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "ON",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    },
    "UserPool2": {
      "Type": "AWS::Cognito::UserPool",
      "Properties": {
        "UserPoolName": "${AuthName}-user-pool",
        "AutoVerifiedAttributes": [
          "phone_number"
        ],
        "MfaConfiguration": "OPTIONAL",
        "SmsConfiguration": {
          "ExternalId": "${AuthName}-external",
          "SnsCallerArn": "SNSRole.Arn"
        }
      }
    }
  }
}