Profile Applicability:

  • Level 1

Description:

Amazon Cognito User Pools provide user authentication services for web and mobile applications. Multi-Factor Authentication (MFA) is an additional layer of security that requires users to provide two or more verification factors to gain access to their accounts, enhancing protection against unauthorized access. Enabling MFA for Amazon Cognito User Pools helps prevent unauthorized access even if user credentials are compromised.

Rationale:

  • Security: Enabling MFA significantly improves the security of user authentication by requiring users to provide a second factor (e.g., a one-time passcode sent to a mobile device) in addition to their password.

  • Compliance: Many security and compliance frameworks (e.g., SOC 2, HIPAA, PCI-DSS) require multi-factor authentication as part of their security standards.

  • Best Practices: MFA is a widely adopted security best practice that helps protect user accounts from unauthorized access, especially in environments where sensitive data is stored.

Impact:

Pros:

  • Increased Security: By requiring an additional verification factor, MFA adds a robust layer of security against common attack vectors, such as phishing, credential stuffing, and brute-force attacks.

  • Compliance: Helps meet regulatory requirements that mandate multi-factor authentication for access to sensitive systems or data.

  • Reduced Risk of Account Compromise: Even if a user's password is compromised, the account remains protected by the second factor.

Cons:

  • User Inconvenience: Users must have access to a second factor, such as a mobile device for OTP (One-Time Password) generation, which might add some friction to the login process.

  • Support Overhead: If users forget their second factor or face issues with MFA devices, support teams may experience increased helpdesk requests for recovery.

Default Value:

By default, Cognito User Pools do not have MFA enabled. MFA must be explicitly configured within the Cognito User Pool settings to be enforced.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS CLI installed and configured.

  • Cognito User Pool created and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. Select User Pools and choose the user pool to check.

  4. Under General settings, select Multi-Factor Authentication (MFA).

  5. Verify if MFA is enabled for your user pool:

    • If enabled, you will see that MFA is set to either Optional or Required.

    • If not, follow the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the Cognito User Pool and check the MFA status, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.MfaConfiguration'

  2. The output will show the MFA configuration status:

  • If MFA is enabled, the output will show MFAConfiguration: "OPTIONAL" or MFAConfiguration: "REQUIRED".

  • If MFA is disabled, it will show MFAConfiguration: "OFF".

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon Cognito.

  2. In the Cognito Console, select User Pools and choose the user pool you want to update.

  3. Under General settings, select Multi-Factor Authentication (MFA).

  4. Enable Multi-Factor Authentication by selecting Optional or Required, depending on your security requirements.

  5. Save the changes to enforce the MFA settings.

Using AWS CLI:

  1. To enable MFA for the Cognito User Pool, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --mfa-configuration "OPTIONAL"

  2. If you want to make MFA required for all users, run:

    aws cognito-idp update-user-pool --user-pool-id <user-pool-id> --mfa-configuration "REQUIRED"

  3. Verify the change by running:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.MfaConfiguration'

Backout Plan:

Using AWS Console:

  1. Navigate to the User Pool in the Amazon Cognito Console.

  2. Under the MFA and verifications section, disable Multi-Factor Authentication (MFA).

  3. Save the changes.

Using AWS CLI:

  1. To disable MFA, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --mfa-configuration "OFF" --region <REGION>

  2. Verify that MFA has been disabled:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.