aws · mergify · Dec 7, 2022 · Dec 7, 2022 · Dec 7, 2022
diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -356,6 +356,16 @@ new cognito.UserPool(this, 'UserPool', {
 The default for account recovery is by phone if available and by email otherwise.
 A user will not be allowed to reset their password via phone if they are also using it for MFA.
 
+#### Advanced Security Mode
+
+User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the [documentation on Advanced security](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) to learn more.
+
+```ts
+new cognito.UserPool(this, 'myuserpool', {
+  // ...
+  advancedSecurityMode: cognito.AdvancedSecurityMode.ENFORCED,
+});
+```
 
 ### Emails
 

diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool.ts
@@ -496,6 +496,19 @@ export interface DeviceTracking {
   readonly deviceOnlyRememberedOnUserPrompt: boolean;
 }
 
+/**
+ * The different ways in which a user pool's Advanced Security Mode can be configured.
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
+ */
+export enum AdvancedSecurityMode {
+  /** Enable advanced security mode */
+  ENFORCED = 'ENFORCED',
+  /** gather metrics on detected risks without taking action. Metrics are published to Amazon CloudWatch */
+  AUDIT = 'AUDIT',
+  /** Advanced security mode is disabled */
+  OFF = 'OFF'
+}
+
 /**
  * Props for the UserPool construct
  */
@@ -692,6 +705,12 @@ export interface UserPoolProps {
    * @default - no key ID configured
    */
   readonly customSenderKmsKey?: IKey;
+
+  /**
+   * The user pool's Advanced Security Mode
+   * @default - no value
+   */
+  readonly advancedSecurityMode?: AdvancedSecurityMode;
 }
 
 /**
@@ -934,6 +953,9 @@ export class UserPool extends UserPoolBase {
       emailVerificationSubject,
       smsVerificationMessage,
       verificationMessageTemplate,
+      userPoolAddOns: undefinedIfNoKeys({
+        advancedSecurityMode: props.advancedSecurityMode,
+      }),
       schema: this.schemaConfiguration(props),
       mfaConfiguration: props.mfa,
       enabledMfas: this.mfaConfiguration(props),

diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"21.0.0"}
+{"version":"22.0.0"}
diff --git a/...k/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json b/...k/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "files": {
-    "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08": {
+    "d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34": {
       "source": {
         "path": "integ-user-pool.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08.json",
+          "objectKey": "d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json b/...aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ-user-pool.template.json
@@ -905,6 +905,9 @@
       "phone_number"
      ]
     },
+    "UserPoolAddOns": {
+     "AdvancedSecurityMode": "ENFORCED"
+    },
     "UserPoolName": "MyUserPool",
     "VerificationMessageTemplate": {
      "DefaultEmailOption": "CONFIRM_WITH_CODE",

diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "testCases": {
     "integ.user-pool-explicit-props": {
       "stacks": [

diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "21.0.0",
+  "version": "22.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-user-pool.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7df3ca05ace569184cc645d485b05885dc2e13f745606873a57afa9d264ecc08.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d52bd1bc71dfc61d4ad7024fe0716269f71e86ea085d0ccd71bcbe68e8df1c34.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -260,99 +254,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
-        ],
-        "createAuthChallengeCreateAuthChallengeCognito57E2297E": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "createAuthChallengeCreateAuthChallengeCognito57E2297E",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "customMessageCustomMessageCognitoB4F894A6": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "customMessageCustomMessageCognitoB4F894A6",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "defineAuthChallengeDefineAuthChallengeCognito4DBD8021": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "defineAuthChallengeDefineAuthChallengeCognito4DBD8021",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "postAuthenticationPostAuthenticationCognito8B923BC3": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "postAuthenticationPostAuthenticationCognito8B923BC3",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "postConfirmationPostConfirmationCognito9D010393": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "postConfirmationPostConfirmationCognito9D010393",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preAuthenticationPreAuthenticationCognito67FACB54": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preAuthenticationPreAuthenticationCognito67FACB54",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preSignUpPreSignUpCognitoE986CC53": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preSignUpPreSignUpCognitoE986CC53",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "preTokenGenerationPreTokenGenerationCognitoC1959918": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "preTokenGenerationPreTokenGenerationCognitoC1959918",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "userMigrationUserMigrationCognito29EEC4AD": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "userMigrationUserMigrationCognito29EEC4AD",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
-        ],
-        "verifyAuthChallengeResponseVerifyAuthChallengeResponseCognito9DC48AFC": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "verifyAuthChallengeResponseVerifyAuthChallengeResponseCognito9DC48AFC",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
-          }
         ]
       },
       "displayName": "integ-user-pool"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }