Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more about Gen 2

Choose your framework/language

Edit on GitHub

Page updated Nov 11, 2025

Modify Amplify-generated Cognito resources with CDK

Amplify Auth provides sensible defaults for the underlying Amazon Cognito resource definitions. You can customize your authentication resource to enable it to behave exactly as needed for your use cases by modifying it directly using AWS Cloud Development Kit (CDK)

Override Cognito UserPool password policies

You can override the password policy by using the L1 cfnUserPool construct and adding a addPropertyOverride.

amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';


const backend = defineBackend({
  auth,
});
// extract L1 CfnUserPool resources
const { cfnUserPool } = backend.auth.resources.cfnResources;
// modify cfnUserPool policies directly
cfnUserPool.policies = {
  passwordPolicy: {
    minimumLength: 10,
    requireLowercase: true,
    requireNumbers: true,
    requireSymbols: true,
    requireUppercase: true,
    temporaryPasswordValidityDays: 20,
  },
};

Override Cognito UserPool to enable passwordless sign-in methods

You can modify the underlying Cognito user pool resource to enable sign in with passwordless methods. Learn more about passwordless sign-in methods.

You can also read more about how passwordless authentication flows are implemented in the Cognito documentation.

amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"


const backend = defineBackend({
  auth,
})


const { cfnResources } = backend.auth.resources;
const { cfnUserPool, cfnUserPoolClient } = cfnResources;


// Specify which authentication factors you want to allow with USER_AUTH
cfnUserPool.addPropertyOverride(
	'Policies.SignInPolicy.AllowedFirstAuthFactors',
	['PASSWORD', 'WEB_AUTHN', 'EMAIL_OTP', 'SMS_OTP']
);


// The USER_AUTH flow is used for passwordless sign in
cfnUserPoolClient.explicitAuthFlows = [
	'ALLOW_REFRESH_TOKEN_AUTH',
	'ALLOW_USER_AUTH'
];


/* Needed for WebAuthn */
// The WebAuthnRelyingPartyID is the domain of your relying party, e.g. "example.domain.com"
cfnUserPool.addPropertyOverride('WebAuthnRelyingPartyID', '<RELYING_PARTY>');
cfnUserPool.addPropertyOverride('WebAuthnUserVerification', 'preferred');
PREVIOUS
Grant access to auth resources
NEXT
Moving to production
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2025, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.