Fluid Attacks Database

Description

Detects when AWS Cognito User Pools are configured with Multi-Factor Authentication (MFA) disabled. Disabling MFA reduces account security by removing an additional authentication layer, making user accounts more vulnerable to unauthorized access through compromised credentials.

Weakness:

081 - Lack of multi-factor authentication

Category: Access Subversion

Detection Strategy

• Scans Terraform configuration files for AWS Cognito User Pool resource definitions

• Checks if MFA settings are explicitly disabled or omitted in the user pool configuration

• Reports a security issue when a Cognito User Pool is found without MFA enabled

• Specifically looks for 'aws_cognito_user_pool' resource blocks in Terraform code

Vulnerable code example

resource "aws_cognito_user_pool" "pool" {
  name = "example-pool"
  mfa_configuration = "OFF"  # Security risk: MFA is disabled, reducing account security
}

✅ Secure code example

resource "aws_cognito_user_pool" "pool" {
  name = "example-pool"
  mfa_configuration = "ON"  # Enable MFA for stronger authentication security

  software_token_mfa_configuration {
    enabled = true  # Enable TOTP-based MFA tokens for 2-factor auth
  }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.