Cognito User Pool & App Client

aws-cognito

Amazon Cognito user pool + app client (with an optional hosted-UI domain), built secure-by-default. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. No VPC, no compute — user pools, app clients, and prefix domains are on the free tier.

Secure defaults:

• Strong password policy — 12-char minimum requiring upper, lower, number, and symbol (all tunable)
• MFA available — OPTIONAL by default with TOTP (authenticator-app) enabled; set ON to make it mandatory. SMS MFA is deliberately omitted (it needs an SNS caller role); turn it on yourself if you need it
• Account-enumeration protection — the client returns generic errors for unknown users (prevent_user_existence_errors = ENABLED)
• SRP-only auth flows — ALLOW_USER_SRP_AUTH + ALLOW_REFRESH_TOKEN_AUTH; the plaintext-password flows are off by default
• Refresh-token revocation enabled, conservative token lifetimes
• Verified-email account recovery only, case-insensitive usernames
• Deletion protection ACTIVE by default (set INACTIVE for throwaway environments so the pool can be destroyed)

Threat protection (advanced security / user_pool_add_ons) is opt-in and left OFF because it requires the paid Plus feature plan.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0, hashicorp/random >= 3.0, < 4.0

Verification

Static-validated (fmt, validate, tflint). Live apply/verify/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).