💼 [Cognito.5] MFA should be enabled for Cognito user pools

ID: /frameworks/aws-fsbp-v1.0.0/cognito/05

Description

This control checks whether an Amazon Cognito user pool configured with a password-only sign-in policy has multi-factor authentication (MFA) enabled. The control fails if the user pool configured with a password-only sign-in policy does not have MFA enabled.

Multi-factor authentication (MFA) adds a something you have authentication factor to the something you know factor (typically username and password). For federated users, Amazon Cognito delegates authentication to the identity provider (IdP) and doesn't offer additional authentication factors. However, if you have local users with password authentication, configuring MFA for the user pool increases their security.

Similar

AWS Security Hub
- https://docs.aws.amazon.com/securityhub/latest/userguide/cognito-controls.html#cognito-5

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Description​

Similar​

Sub Sections​

Description

Similar

Sub Sections