Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more about Gen 2

Choose your framework/language

Edit on GitHub

Page updated Nov 4, 2024

Modify Amplify-generated Cognito resources with CDK

Amplify Auth provides sensible defaults for the underlying Amazon Cognito resource definitions. You can customize your authentication resource to enable it to behave exactly as needed for your use cases by modifying it directly using AWS Cloud Development Kit (CDK)

Override Cognito UserPool password policies

You can override the password policy by using the L1 cfnUserPool construct and adding a addPropertyOverride.

amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';


const backend = defineBackend({
  auth,
});
// extract L1 CfnUserPool resources
const { cfnUserPool } = backend.auth.resources.cfnResources;
// modify cfnUserPool policies directly
cfnUserPool.policies = {
  passwordPolicy: {
    minimumLength: 10,
    requireLowercase: true,
    requireNumbers: true,
    requireSymbols: true,
    requireUppercase: true,
    temporaryPasswordValidityDays: 20,
  },
};

Override Cognito UserPool multi-factor authentication options

While Email MFA is not yet supported with defineAuth, this feature can be enabled by modifying the underlying CDK construct.

Start by ensuring your defineAuth resource configuration includes a compatible account recovery option and a custom SES sender.

amplify/auth/resource.ts
import { defineAuth } from "@aws-amplify/backend"


/**
 * Define and configure your auth resource
 * @see https://docs.amplify.aws/gen2/build-a-backend/auth
 */
export const auth = defineAuth({
  loginWith: {
    email: true,
    phone: true,
  },
  multifactor: {
    mode: "OPTIONAL",
    sms: true,
    totp: false,
  },
  // Important! The logic to resolve this value cannot determine whether email mfa is enabled when overriding the resource. 
  // Be sure to pick a recovery option appropriate for your application.
  accountRecovery: "EMAIL_AND_PHONE_WITHOUT_MFA",
  senders: {
    email: {
      fromEmail: "registrations@example.com",
    },
  },
})

Next, extend the underlying CDK construct by activating Amazon Cognito's Advanced Security Features (ASF) and add EMAIL_OTP to the enabled MFA options.

amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"


const backend = defineBackend({
  auth,
})


const { cfnUserPool } = backend.auth.resources.cfnResources


// enable ASF
cfnUserPool.userPoolAddOns = {
  advancedSecurityMode: "AUDIT",
}


// add email mfa
// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
cfnUserPool.enabledMfas = [...(cfnUserPool.enabledMfas || []), "EMAIL_OTP"]
PREVIOUS
Grant access to auth resources
NEXT
Moving to production
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.