Cognito Userpool set-user-pool-mfa-config

[jk2l]

Name of the resource

AWS::Cognito::UserPool

Resource name

No response

Description

Cognito UserPool's update-user-pool API seems to refuse to update the MFA configuration. If I want to update the MFA setting, I need to use a separate API call to handle it. This behavior seems to be inherited into the AWS::Cognito::UserPool as well. However, there is no CloudFormation resource that allows us to configure MFA besides using AWS::Cognito::UserPool. This ends up blocking CloudFormation to update the MFA setting if needed

The only workaround at this stage is to create Custom Resource to manually execute SetUserPoolMfaConfig.

I think the AWS::Cognito::UserPool internally either need to add logic to handle this odd behaviour, or we need new Cfn resource that support configure MFA

[cloudshell-user@ip-10-0-115-117 ~]$ aws cognito-idp update-user-pool --user-pool-id <userpool-id> --mfa-configuration OPTIONAL
[cloudshell-user@ip-10-0-115-117 ~]$ aws cognito-idp update-user-pool --user-pool-id <userpool-id> --mfa-configuration ON

An error occurred (InvalidParameterException) when calling the UpdateUserPool operation: Cannot turn MFA functionality ON, once the user pool has been created.
[cloudshell-user@ip-10-0-115-117 ~]$ aws cognito-idp set-user-pool-mfa-config --user-pool-id <userpool-id> --mfa-configuration ON --sms-mfa-configuration "SmsConfiguration={SnsCallerArn=<reducted>,ExternalId=<reducted>,SnsRegion=ap-southeast-2}"
{
    "SmsMfaConfiguration": {
        "SmsConfiguration": {
            "SnsCallerArn": "<reducted>",
            "ExternalId": "<reducted>",
            "SnsRegion": "ap-southeast-2"
        }
    },
    "MfaConfiguration": "ON"
}

Other Details

No response

[maxfielb]

@jk2l

This behavior seems to be inherited into the AWS::Cognito::UserPool as well.

The CFN AWS::Cognito::UserPool resource should support modifying the MfaConfiguration on both Create and Update. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

If you have confirmed this behavior somehow, can you provide us with the template that you used and any other information you can provide?

[jk2l]

@jk2l

This behavior seems to be inherited into the AWS::Cognito::UserPool as well.

The CFN AWS::Cognito::UserPool resource should support modifying the MfaConfiguration on both Create and Update. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html

If you have confirmed this behavior somehow, can you provide us with the template that you used and any other information you can provide?

Parameters:
  EnableMfa:
    Type: String
    AllowedValues:
      - "ON"
      - "OFF"
    Default: "ON"

Conditions:
  EnableMfa:
    Fn::Equals: [ !Ref EnableMfa, "ON" ]

Resources:
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      MfaConfiguration: !Ref EnableMfa
      EnabledMfas:
        Fn::If:
          - EnableMfa
          - [SOFTWARE_TOKEN_MFA]
          - !Ref AWS::NoValue

Test step:

• Deploy template with ON
• Update template to OFF (Success)
• Update template to ON (Fail)
• You can also update Cognito manually via CLI or AWS Console to turn it ON (But now Cfn is now drift)

[jk2l]

the reason we encounter this scenario is that our developer are testing enforced MFA behaviour and OPTIONAL MFA behaviour with Cognito Advanced Security Feature, but to our surprise we can't turn MFA to ON after we move to OPTIONAL. (we work around this now with Custom resource with lambda, which is quite a ugly hack)