Waf Charm

Blog

AWS WAF, WafCharm

Amazon Cognito can be attached to AWS WAF

Table of Contents

  1. 1. Introduction
  2. 2. What is Amazon Cognito?
  3. 3. Configuration
  4. 4. Usages
  5. 5. Effects on WafCharm
  6. 6. Conclusion

1. Introduction

On August 11th, 2022, AWS WAF protections for Amazon Cognito has been made available.
You can protect Amazon Cognito user pools and hosted UI with this update.

Amazon Cognito enables native support for AWS WAF

2. What is Amazon Cognito?

Amazon Cognito is a service that can add sign up/sign in and access control feature to web applications and mobile apps. It supports sign in through social ID providers such as Apple, Facebook, Google, and Amazon and enterprise ID provider such as SAML 2.0 and OpenID Connect.

3. Configuration

Open [Associated AWS resources] in your ACL and click [Add AWS resources].

You can see that Cognito can be selected.
*You may not be able to see the option if your permission is insufficient. If so, add the necessary permission.

By adding the setting above, you can inspect items listed below with WAF.

  • Hosted UI
  • Public API operations

Limitations

There are some limitations listed in the official information.

  • You can associate one web ACL with a user pool.
  • Depending on the request, there may be payload that is larger then the limits AWS WAF can inspect.
  • You cannot use AWS Managed Rule’s AWS WAF Fraud Control account takeover prevention (ATP).

Associating an AWS WAF web ACL with a user pool

4. Usages

You can limit the users that can be authenticated by creating a matching rule based on IP or countries on AWS WAF. If the authentification only takes place when it is connected from a specific site, you can create a rule to block all requests except for a certain IP address to protect your environment even more.

In addition, you can set countermeasures for bots with AWS WAF by creating a CAPTCHA rule. For more information on CAPTCHA rule, please refer to the blog post below.

AWS WAF Now Supports CAPTCHA

This update can be helpful in terms of maintenance because you can accumulate multiple regulations to AWS WAF.

5. Effects on WafCharm

Currently, WafCharm does not have a plan to provide support for ACL attached to Amazon Cognito.

6. Conclusion

With the new support for Amazon Cognito, there could be more updates that allow AWS WAF to protect other resources as well.
If you are new to AWS WAF and not sure what rules can be created, please take a look at our previous posts.