Open dlpzx opened 11 months ago
It looks like we could do some changes in deploy/stacks/cognito.py
based on this documentation.
We first need to add required attributes for sign-up. Something like...
self.user_pool = cognito.UserPool(
self,
f'UserPool-{envname}',
user_pool_name=f'{resource_prefix}-{envname}-userpool',
self_sign_up_enabled=False,
sign_in_aliases=cognito.SignInAliases(username=True, email=True),
standard_attributes=cognito.StandardAttributes(
email=cognito.StandardAttribute(
required=True,
mutable=False
),
mfa=cognito.Mfa.REQUIRED,
mfa_second_factor=cognito.MfaSecondFactor(
sms=True,
otp=True
)
password_policy=cognito.PasswordPolicy(
min_length=8,
require_digits=True,
require_uppercase=True,
require_lowercase=True,
require_symbols=True,
),
)
Updates from internal conversation with customer: For an exiting deployment of data.all the above approach is an issue as it turned out such attribute cannot be changed if the user pool is already created.
Our recommendation is either to start from a fresh deployment and in case it is not possible (as workaround) we can define a different id for the cognito user pool depending on the MFA settings. In the above code we should change the id from
f'UserPool-{envname}'
to something like f'UserPool-{envname}-{config}'
, where config
is the mfa config that we can read from the cdk.json file. Having a different id would replace the resource in CloudFormation and in theory this would avoid the reported errors, however it is an hypothesis and it has not been tested.
Once this testing performed by the customer is complete we will be able to design a final solution for the open-source version.
A customer is asking if we can customize the data.all Infrastructure Amazon Cognito and enable MFA using Authenticator Apps.
MFA authentication to make users in Cognito log-in in a more secure way. So in Cognito you can enable SMS or Authenticator Apps, The Customer is interested in the Authenticator Apps like Google Authenticator.
I know we can set it up with Cognito, but due to the Cognito not requiring an email as attribute in the Sign-up experience, I am unable to enable Authenticator apps as the MFA method