chore: adding CDK example for enabling email mfa

jjarvisp · jjarvisp · commit 130c7527a3bf · 2024-10-29T21:01:35.000-07:00
diff --git a/cspell.json b/cspell.json
@@ -851,6 +851,7 @@
     "metadata",
     "mfaDescription",
     "mfaTypes",
+    "enabledMfas",
     "MiB",
     "middleware",
     "Millis",
diff --git a/src/pages/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/index.mdx b/src/pages/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/index.mdx
@@ -56,6 +56,8 @@ export const auth = defineAuth({
 
 <Callout info>
 Email-based MFA is currently not supported with `defineAuth`. We are working towards supporting this feature. For more information, visit the [feature request in GitHub](https://github.com/aws-amplify/amplify-backend/issues/2159).
+
+To take advantage of this feature with an Amplify generated backend, the underlying CDK construct can be extended manually. See [overriding Cognito User Pool multi-factor authentication options](/[platform]/build-a-backend/auth/modify-resources-with-cdk/#override-cognito-userpool-multi-factor-authentication-options) for more information.
 </Callout>
 
 When MFA is `REQUIRED` with SMS in your backend auth resource, you will need to pass the phone number during sign-up API call. If you are using the `email` or `username` as the primary sign-in mechanism, you will need to pass the `phone_number` attribute as a user attribute. 
diff --git a/src/pages/[platform]/build-a-backend/auth/modify-resources-with-cdk/index.mdx b/src/pages/[platform]/build-a-backend/auth/modify-resources-with-cdk/index.mdx
@@ -57,6 +57,61 @@ cfnUserPool.policies = {
 };
 ```
 
+## Override Cognito UserPool multi-factor authentication options
+While Email MFA is not yet supported with `defineAuth`, this feature can be enabled by modifying the underlying CDK construct.
+
+Start by ensuring your `defineAuth` resource configuration includes a compatible account recovery option and a custom SES sender.
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    email: true,
+    phone: true,
+  },
+  multifactor: {
+    mode: "OPTIONAL",
+    sms: true,
+    totp: false,
+  },
+  // Important! The logic to resolve this value cannot determine whether email mfa is enabled when overriding the resource. 
+  // Be sure to pick a recovery option appropriate for your application.
+  accountRecovery: "EMAIL_AND_PHONE_WITHOUT_MFA",
+  senders: {
+    email: {
+      fromEmail: "registrations@example.com",
+    },
+  },
+})
+```
+Next, extend the underlying CDK construct by activating Advanced Security Mode and adding `EMAIL_OTP` to the enabled MFA options.
+
+```ts title="amplify/backend.ts"
+
+import { defineBackend } from "@aws-amplify/backend"
+import { auth } from "./auth/resource"
+
+const backend = defineBackend({
+  auth,
+})
+
+const { cfnUserPool } = backend.auth.resources.cfnResources
+
+// enable ASF
+cfnUserPool.userPoolAddOns = {
+  advancedSecurityMode: "AUDIT",
+}
+
+// add email mfa
+// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-enabledmfas
+cfnUserPool.enabledMfas = [...(cfnUserPool.enabledMfas || []), "EMAIL_OTP"]
+```
+
 {/* token validity */}
 {/* BYO custom idp construct */}
 {/* extend auth/unauth roles */}
