Json Yaml Mfa Disabled In Userpool
Description
Detects AWS Cognito User Pools configured without Multi-Factor Authentication (MFA) enabled in CloudFormation templates. When MFA is disabled, users can authenticate with just a single factor, reducing the security of the authentication process and increasing the risk of unauthorized account access.
Detection Strategy
• Search for CloudFormation resources of type 'AWS::Cognito::UserPool'
• Check if the UserPool resource has MFA configuration settings defined
• Report a vulnerability if MFA is explicitly disabled or not configured in the UserPool properties
• Consider as vulnerable if 'MfaConfiguration' is set to 'OFF' or missing from the UserPool definition
Vulnerable code example
{
"Resources": {
"MyUserPool": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"MfaConfiguration": false # Vulnerable: MFA is disabled, reducing account security
}
}...✅ Secure code example
{
"Resources": {
"MyUserPool": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"MfaConfiguration": "ON", # Enable MFA for stronger authentication security
"EnabledMfas": ["SOFTWARE_TOKEN_MFA"] # Specify software token as MFA method
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.