By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is AWS Cognito SMS external ID

0

I am trying to setup AWS Cognito MFA to access an SMS number in another account. In the other account, I have a phone number and have shared it using RAM with my development account. From my development account, I see the phone number show up through RAM.

My questions are:

  • What should external ID be? Is that the ID of the resource share or the resource ID itself?
  • My development account is in SNS sandbox. Do I need to get my development account out of sandbox for this to work?

Typescript CDK code for reference:

smsRole: new iam.Role( externalScope, "CognitoSmsRole", {
				assumedBy: new iam.ServicePrincipal( "cognito-idp.amazonaws.com", {
					conditions: {
						"StringEquals": {
							"sts:ExternalId": "2444....."// ?? what is this
						}
					}
				} ),
				inlinePolicies: {
					"smsPublish": new iam.PolicyDocument( {
						statements: [
							new iam.PolicyStatement( {
								actions: ["sns:Publish"],
								resources: ["*"]
							} )
						]
					} )
				}
			} ),
			smsRoleExternalId: "2444....."
Topics
Security, Identity, & ComplianceApplication IntegrationFront-End Web & Mobile
Tags
AWS Identity and Access ManagementAmazon CognitoAmazon Simple Notification Service (SNS)AWS End User Messaging
Language
English
jared
asked 5 days ago34 views
2 Answers
0
Accepted Answer

Hello,

Thank you for reaching out to us!

I see that you are trying to setup the Cognito MFA for sending SMS messages.

[1] What should external ID be? Is that the ID of the resource share or the resource ID itself?

In short, ExternalId is not associated to resource share or resource ID.

When you try to configure cognito MFA for sending SMS messages, it is required to specify the SmsConfigurationType[1] object under SmsConfiguration. While setting up this SmsConfigurationType object, you would need to specify the below parameters however ExternalId is optional:

a) SnsCallerArn b) ExternalId (optional) c) SnsRegion (optional)

SNSCallerArn is the IAM role your congnito user pool assumes to send the messages. Here the ExternalID [2] is used as an additional security measure and it is an optional field. It can be any desired value however when it is specified in SmsConfigurationType, you would need to specify the exact same value in the trust policy of the IAM role used by the cognito to send messages. You can refer the below example for better understanding.

sample boto3 code while creating user pool with MFA:

   response = cognito.set_user_pool_mfa_config(
    UserPoolId=user_pool_id,
    SmsMfaConfiguration={
        'SmsAuthenticationMessage': 'Your authentication code is {####}',
        'SmsConfiguration': {
            'SnsCallerArn': sms_role_arn,
            'ExternalId': a1b2c3d4-5678-90ab-cdef-EXAMPLE22222 <-- used here 
        }

sample trust policy of the IAM role assumed by cognito:

   {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "cognito-idp.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", <-- used here
                "aws:SourceAccount": "111122223333"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:cognito-idp:us-west-2:111122223333:userpool/us-west-2_EXAMPLE"
            }
        }
    }
]
}

As mentioned above, the ExternalId used in SMSConfiguration, trust policy should be the same value if it is specified. You can also refer the below documentation for more information.

[+] Prepare an IAM role that Amazon Cognito can use to send SMS messages with Amazon SNS - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#sms-create-a-role

[2] My development account is in SNS sandbox. Do I need to get my development account out of sandbox for this to work?

No, you do need to move your development account out of sandbox. For testing pupose, you can still use the sandbox however kindly note that you have to verify the phone numbers in the SNS console that you wanted to use.

Hope this helps!

References:

[1] SmsConfigurationType - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SmsConfigurationType.html

[2] External IDs for third party access - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html#id_roles_third-party_external-id

AWS
rePost-User-7792127
answered 4 days ago
0

The external ID in AWS Cognito SMS configuration is not related to the resource share ID or the resource ID itself. It's a unique identifier that provides an additional layer of security when Amazon Cognito assumes an IAM role to send SMS messages on your behalf.

When you set up SMS messaging for your Cognito user pool, you need to provide an IAM role that Cognito can assume to send SMS messages via Amazon SNS. The external ID is a value that you generate and include both in the role's trust policy and in the Cognito user pool's SMS configuration. This ensures that only your Cognito user pool can assume this specific role.

In your TypeScript CDK code, you're setting up this external ID in two places:

  1. In the role's trust policy, as a condition for allowing Cognito to assume the role.
  2. In the smsRoleExternalId property of your Cognito user pool configuration.

The value for this external ID should be a unique string that you generate. It's not related to the resource share or resource ID from your RAM (Resource Access Manager) setup.

Regarding your second question about the SNS sandbox: Yes, you do need to move your development account out of the SNS sandbox for this to work in a production environment. While in the sandbox, you can only send SMS messages to verified phone numbers, which is restrictive for a real-world application. To move out of the sandbox, you'll need to request production access for Amazon SNS, which involves providing additional information about your use case and expected SMS volume.

However, for testing purposes, you can still use the sandbox environment. You'll just need to verify the phone numbers you're sending messages to in the Amazon SNS console first. This allows you to develop and test your MFA functionality without immediately moving to production SNS access.

Remember to replace the placeholder "2444....." in your code with an actual unique string for your external ID. This ID should be kept secret and should not be easily guessable.
Sources
SmsConfigurationType - Amazon Cognito User Pools
interface SmsConfigurationProperty · AWS CDK
SMS message settings for Amazon Cognito user pools - Amazon Cognito
Configuring email or phone verification - Amazon Cognito

profile picture
re:Post Agent
answered 5 days ago
  • jared
    5 days ago

    Well now I am more confused. How does cognito know to leverage SNS to use a phone number in another account? I don't see any settings in cognito if your explanation of externalId is correct.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content