Terraform-provider-aws: AWS Cognito User Pool Doesn't Support Advanced Security Features

Created on 31 Dec 2018  路  7Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently there doesn't appear to be advanced security settings in the Cognito User Pool:
https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html

It would be nice to have these features settable from Cognito:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html

Things we would like are the following settings (not fully expansive):

-mode: audit, yes
-compromised_action: block, allow
-low_risk_setting: allow, optional mfa, mfa required
-low_risk_notification: on, off
-medium_risk_setting: allow, optional mfa, mfa required
-medium_risk_notification: on, off
-high_risk_setting: allow, optional mfa, mfa required
-high_risk_notification: on, off
-SES region
-SES email
-reply_to

New or Affected Resource(s)

https://www.terraform.io/docs/providers/aws/r/cognito_user_pool.html

  • aws_cognito_user_pool

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html

  • #0000
enhancement serviccognito
Source
picture matthewhenricks
👍21

Most helpful comment

Looks like this applies to both user pools and individual user pool clients. Involved API calls are:

Possible HCL:

resource "aws_cognito_user_pool" "example" {
  name = "example"

  risk_configuration {
    account_takeover_risk_configuration {
      actions {
        high_action {
          event_action = "BLOCK"
          notify       = true
        }

        medium_action {
          event_action = "MFA_REQUIRED"
          notify       = true
        }

        low_action {
          event_action = "NO_ACTION"
          notify       = true
        }
      }

      notify_configuration {
        from       = "[email protected]"
        reply_to   = "[email protected]"
        source_arn = ""

        block_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }

        mfa_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }

        no_action_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }
      }
    }

    compromised_credentials_risk_configuration {
      actions {
        event_action = "BLOCK"
      }

      event_filter = ["SIGN_IN"]
    }

    risk_exception_configuration {
      blocked_ip_range_list = ["1.1.1.1/32"]
      skipped_ip_range_list = ["10.10.10.10/32"]
    }
  }
}
picture gazoakley on 1 Jan 2019
👍4

All 7 comments

Looks like this applies to both user pools and individual user pool clients. Involved API calls are:

Possible HCL:

resource "aws_cognito_user_pool" "example" {
  name = "example"

  risk_configuration {
    account_takeover_risk_configuration {
      actions {
        high_action {
          event_action = "BLOCK"
          notify       = true
        }

        medium_action {
          event_action = "MFA_REQUIRED"
          notify       = true
        }

        low_action {
          event_action = "NO_ACTION"
          notify       = true
        }
      }

      notify_configuration {
        from       = "[email protected]"
        reply_to   = "[email protected]"
        source_arn = ""

        block_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }

        mfa_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }

        no_action_email {
          html_body = ""
          subject   = ""
          text_body = ""
        }
      }
    }

    compromised_credentials_risk_configuration {
      actions {
        event_action = "BLOCK"
      }

      event_filter = ["SIGN_IN"]
    }

    risk_exception_configuration {
      blocked_ip_range_list = ["1.1.1.1/32"]
      skipped_ip_range_list = ["10.10.10.10/32"]
    }
  }
}
gazoakley picture gazoakley on 1 Jan 2019
👍4

Also need to support IP whitelisting and blacklisting , similar to resource policies.

abdusahin picture abdusahin on 15 Feb 2019

any updates on this? are all cognito features supported through terraform

tdiwate picture tdiwate on 7 Mar 2020

i've been looking into this and i think that this should be a separate resource as there is also a user pool client config and it changes its behaviour based on that.

this way it can set on the user pool level or have a different config per user pool client.

thoughts?

DrFaust92 picture DrFaust92 on 21 Mar 2020
👍1

@DrFaust92 Any chance you looked further into this meanwhile?

Seeing how it's implemented on AWS side, I'd also opt for a separate resource requiring either a user_pool or user_pool_client to be provided (never both)
I'd be happy to assist in moving this forward in the short term.

edit: to anyone encountering this, yes the user_pool resource (meanwhile?) has a toggle to enable advanced_security_mode, but it only allows off/audit/enforced, none of the actual configuration

jlsjonas picture jlsjonas on 9 Sep 2020
👍1

Working on this now

DrFaust92 picture DrFaust92 on 14 Sep 2020
🎉3

Any news @DrFaust92 ?

lqueryvg picture lqueryvg on 27 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
hashibot picture hashibot  路  3Comments
gothrek22 picture gothrek22  路  3Comments
hashibot picture hashibot  路  3Comments
blaltarriba picture blaltarriba  路  3Comments