diff --git a/cognito.tf b/cognito.tf
index 39612fd..3c42df0 100644
--- a/cognito.tf
+++ b/cognito.tf
@@ -8,7 +8,7 @@ resource "aws_cognito_user_pool" "user_pool" {
   }
 
   auto_verified_attributes = ["email"]
-  mfa_configuration        = "OFF"
+  mfa_configuration        = var.mfa_configuration
   username_attributes      = ["email"]
 
   user_pool_add_ons {
@@ -30,6 +30,13 @@ resource "aws_cognito_user_pool" "user_pool" {
       priority = 1
     }
   }
+
+  dynamic "software_token_mfa_configuration" {
+    for_each = var.mfa_configuration == "ON" ? [1] : []
+    content {
+      enabled = true
+    }
+  }
 }
 
 resource "aws_cognito_user_pool_domain" "user_pool_domain" {
@@ -42,7 +49,7 @@ resource "aws_cognito_user_pool_domain" "user_pool_domain" {
 resource "aws_cognito_identity_pool" "identity_pool" {
   count                            = var.cognito_enabled ? 1 : 0
   identity_pool_name               = "${var.name}_identity_pool"
-  allow_unauthenticated_identities = true
+  allow_unauthenticated_identities = var.allow_unauthenticated_identities
 
   # AWS OpenSearch will maintain `cognito_identity_providers`, so ignore it
   lifecycle { ignore_changes = [cognito_identity_providers] }
diff --git a/cognito_iam.tf b/cognito_iam.tf
index fe75304..26ed896 100644
--- a/cognito_iam.tf
+++ b/cognito_iam.tf
@@ -147,4 +147,13 @@ resource "aws_cognito_identity_pool_roles_attachment" "roles_attachment" {
     "authenticated"   = aws_iam_role.authenticated[0].arn,
     "unauthenticated" = aws_iam_role.unauthenticated[0].arn,
   }
+
+  dynamic "role_mapping" {
+    for_each = var.role_mapping
+    content {
+      ambiguous_role_resolution = try(role_mapping.value["ambiguous_role_resolution"], null)
+      identity_provider         = try(role_mapping.value["identity_provider"], null)
+      type                      = try(role_mapping.value["type"], null)
+    }
+  }
 }
diff --git a/main.tf b/main.tf
index a719357..9b9bf6f 100644
--- a/main.tf
+++ b/main.tf
@@ -83,7 +83,7 @@ resource "aws_opensearch_domain" "opensearch" {
     for_each = var.inside_vpc ? [1] : []
     content {
       subnet_ids         = var.subnet_ids
-      security_group_ids = concat(var.sg_ids == "" ? [] : [var.sg_ids], var.create_default_sg == true ?  [aws_security_group.es[0].id] : [])
+      security_group_ids = concat(var.sg_ids == "" ? [] : [var.sg_ids], var.create_default_sg == true ? [aws_security_group.es[0].id] : [])
     }
   }
 
diff --git a/variables.tf b/variables.tf
index f7ed16a..6b1948e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -265,4 +265,23 @@ variable "custom_es_cognito_role_name" {
   type        = string
   default     = null
   description = "Custom name for Opensearch Cognito role name"
+}
+
+
+variable "allow_unauthenticated_identities" {
+  type        = bool
+  description = "Allow unauthenticated identities on Cognito Identity Pool"
+  default     = true
+}
+
+variable "role_mapping" {
+  type        = any
+  description = "Custom role mapping for identity pool role attachment"
+  default     = []
+}
+
+variable "mfa_configuration" {
+  type        = string
+  description = "Multi-Factor Authentication (MFA) configuration for the User Pool"
+  default     = "OFF"
 }
\ No newline at end of file