Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Setting up SMS MFA for user pool

0

Hello, we have an existing user pool that is using SMS for MFA. We have an origination number, SNS in production, and an IAM role assigned for cognito to use SNS. The SMS MFA is functioning as expected. In the same account and region, we are trying to set up another user pool to use the same MFA configuration and cognito is insisting that we do not have SMS set up. It allows us to configure SMS in Authentication Methods, but when attempting to set it up using the same existing role from the other user pool, the GUI directs us to the Edit MFA page from the Authentication methods. I got it to work by creating a new IAM role, but I do not understand why I need to do this. Are the IAM roles created in the UI only valid for that user pool? Could I use a common IAM for multiple user pools?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Cognito
Language
English
asked a year ago245 views
1 Answer
0

The situation you're describing is unusual, as typically an IAM role created for Cognito to use SNS for SMS MFA should be reusable across multiple user pools within the same AWS account and region. However, there are a few potential reasons why you might be experiencing this issue:

  1. Role Trust Relationship: The IAM role's trust relationship might be specifically configured for the original user pool. Each user pool has a unique identifier, and if the trust relationship is overly specific, it may not work for other user pools.

  2. Role Permissions: The IAM role's permissions might be too restrictive, only allowing actions for specific resources related to the original user pool.

To address this, you could try the following:

  1. Check the trust relationship of the existing IAM role. Make sure it trusts the Cognito service in general (cognito-idp.amazonaws.com) rather than being limited to a specific user pool.

  2. Review the role's permissions to ensure they're broad enough to work with multiple user pools.

If you want to use a common IAM role for multiple user pools (which is generally possible and a good practice for simplifying management), you may need to adjust the role's trust relationship and permissions to be more inclusive.

Remember, when setting up SMS MFA, you need to ensure that the role has the necessary permissions to publish to SNS, and that the trust relationship allows Cognito to assume the role. If you're still having issues, it might be worth contacting AWS support for further assistance, as they can look into the specific configuration of your account and user pools.

While creating a new role for each user pool will work, it's not typically necessary and can lead to more complex management. In most cases, you should be able to use a single, properly configured IAM role for SMS MFA across multiple user pools in the same account and region.
Sources
Adding MFA to a user pool - Amazon Cognito
SmsMfaConfigType - Amazon Cognito User Pools
SetUserPoolMfaConfig - Amazon Cognito User Pools

answered a year ago
AWS
SUPPORT ENGINEER
reviewed a year ago
AWS
SUPPORT ENGINEER
revised a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content