Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Page updated Nov 26, 2024

Modify Amplify-generated Cognito resources with CDK

Amplify Auth provides sensible defaults for the underlying Amazon Cognito resource definitions. You can customize your authentication resource to enable it to behave exactly as needed for your use cases by modifying it directly using AWS Cloud Development Kit (CDK)

Override Cognito UserPool password policies

You can override the password policy by using the L1 cfnUserPool construct and adding a addPropertyOverride.

amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
const backend = defineBackend({
auth,
});
// extract L1 CfnUserPool resources
const { cfnUserPool } = backend.auth.resources.cfnResources;
// modify cfnUserPool policies directly
cfnUserPool.policies = {
passwordPolicy: {
minimumLength: 10,
requireLowercase: true,
requireNumbers: true,
requireSymbols: true,
requireUppercase: true,
temporaryPasswordValidityDays: 20,
},
};

Override Cognito UserPool multi-factor authentication options

While Email MFA is not yet supported with defineAuth, this feature can be enabled by modifying the underlying CDK construct.

Start by ensuring your defineAuth resource configuration includes a compatible account recovery option and a custom SES sender.

amplify/auth/resource.ts
import { defineAuth } from "@aws-amplify/backend"
/**
* Define and configure your auth resource
* @see https://docs.amplify.aws/gen2/build-a-backend/auth
*/
export const auth = defineAuth({
loginWith: {
email: true,
phone: true,
},
multifactor: {
mode: "OPTIONAL",
sms: true,
totp: false,
},
// Important! The logic to resolve this value cannot determine whether email mfa is enabled when overriding the resource.
// Be sure to pick a recovery option appropriate for your application.
accountRecovery: "EMAIL_AND_PHONE_WITHOUT_MFA",
senders: {
email: {
fromEmail: "registrations@example.com",
},
},
})

Next, extend the underlying CDK construct by activating Amazon Cognito's Advanced Security Features (ASF) and add EMAIL_OTP to the enabled MFA options.

amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"
const backend = defineBackend({
auth,
})
const { cfnUserPool } = backend.auth.resources.cfnResources
// enable ASF
cfnUserPool.userPoolAddOns = {
advancedSecurityMode: "AUDIT",
}
// add email mfa
// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
cfnUserPool.enabledMfas = [...(cfnUserPool.enabledMfas || []), "EMAIL_OTP"]

Override Cognito UserPool to enable passwordless sign-in methods

You can modify the underlying Cognito user pool resource to enable sign in with passwordless methods. Learn more about passwordless sign-in methods.

amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"
const backend = defineBackend({
auth,
})
const { cfnResources } = backend.auth.resources;
const { cfnUserPool, cfnUserPoolClient } = cfnResources;
cfnUserPool.addPropertyOverride(
'Policies.SignInPolicy.AllowedFirstAuthFactors',
['PASSWORD', 'WEB_AUTHN', 'EMAIL_OTP', 'SMS_OTP']
);
cfnUserPoolClient.explicitAuthFlows = [
'ALLOW_REFRESH_TOKEN_AUTH',
'ALLOW_USER_AUTH'
];
/* Needed for WebAuthn */
cfnUserPool.addPropertyOverride('WebAuthnRelyingPartyID', '<RELYING_PARTY>');
cfnUserPool.addPropertyOverride('WebAuthnUserVerification', 'preferred');