Modify Amplify-generated Cognito resources with CDK
Amplify Auth provides sensible defaults for the underlying Amazon Cognito resource definitions. You can customize your authentication resource to enable it to behave exactly as needed for your use cases by modifying it directly using AWS Cloud Development Kit (CDK)
Override Cognito UserPool password policies
You can override the password policy by using the L1 cfnUserPool
construct and adding a addPropertyOverride
.
import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';
const backend = defineBackend({ auth,});// extract L1 CfnUserPool resourcesconst { cfnUserPool } = backend.auth.resources.cfnResources;// modify cfnUserPool policies directlycfnUserPool.policies = { passwordPolicy: { minimumLength: 10, requireLowercase: true, requireNumbers: true, requireSymbols: true, requireUppercase: true, temporaryPasswordValidityDays: 20, },};
Override Cognito UserPool multi-factor authentication options
While Email MFA is not yet supported with defineAuth
, this feature can be enabled by modifying the underlying CDK construct.
Start by ensuring your defineAuth
resource configuration includes a compatible account recovery option and a custom SES sender.
import { defineAuth } from "@aws-amplify/backend"
/** * Define and configure your auth resource * @see https://docs.amplify.aws/gen2/build-a-backend/auth */export const auth = defineAuth({ loginWith: { email: true, phone: true, }, multifactor: { mode: "OPTIONAL", sms: true, totp: false, }, // Important! The logic to resolve this value cannot determine whether email mfa is enabled when overriding the resource. // Be sure to pick a recovery option appropriate for your application. accountRecovery: "EMAIL_AND_PHONE_WITHOUT_MFA", senders: { email: { fromEmail: "registrations@example.com", }, },})
Next, extend the underlying CDK construct by activating Amazon Cognito's Advanced Security Features (ASF) and add EMAIL_OTP
to the enabled MFA options.
import { defineBackend } from "@aws-amplify/backend"import { auth } from "./auth/resource"
const backend = defineBackend({ auth,})
const { cfnUserPool } = backend.auth.resources.cfnResources
// enable ASFcfnUserPool.userPoolAddOns = { advancedSecurityMode: "AUDIT",}
// add email mfa// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfascfnUserPool.enabledMfas = [...(cfnUserPool.enabledMfas || []), "EMAIL_OTP"]
Override Cognito UserPool to enable passwordless sign-in methods
You can modify the underlying Cognito user pool resource to enable sign in with passwordless methods. Learn more about passwordless sign-in methods.
import { defineBackend } from "@aws-amplify/backend"import { auth } from "./auth/resource"
const backend = defineBackend({ auth,})
const { cfnResources } = backend.auth.resources;const { cfnUserPool, cfnUserPoolClient } = cfnResources;
cfnUserPool.addPropertyOverride( 'Policies.SignInPolicy.AllowedFirstAuthFactors', ['PASSWORD', 'WEB_AUTHN', 'EMAIL_OTP', 'SMS_OTP']);
cfnUserPoolClient.explicitAuthFlows = [ 'ALLOW_REFRESH_TOKEN_AUTH', 'ALLOW_USER_AUTH'];
/* Needed for WebAuthn */cfnUserPool.addPropertyOverride('WebAuthnRelyingPartyID', '<RELYING_PARTY>');cfnUserPool.addPropertyOverride('WebAuthnUserVerification', 'preferred');