Skip to main content

Ensure that Amazon Cognito User Pool is associated with a WAF Web ACL

Overview

This check validates that your Amazon Cognito User Pools are protected by an AWS WAF (Web Application Firewall) Web ACL. A Web ACL acts as a security layer that filters and monitors incoming traffic to your Cognito hosted UI and public API endpoints.

Risk

Without WAF protection, your Cognito User Pool is exposed to common web attacks including:

  • Credential stuffing - Attackers trying stolen username/password combinations
  • Bot abuse - Automated attacks that can overwhelm your authentication endpoints
  • Account enumeration - Probing to discover valid user accounts
  • Malicious requests - Attempts to exploit vulnerabilities in request handling

These threats can compromise user data, degrade service availability, and undermine the security of your authentication system.

Severity: Medium

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to modify Cognito User Pools and WAF
  • An existing WAF Web ACL (regional, not CloudFront/global) or permissions to create one
Required IAM permissions

Your IAM user or role needs these permissions:

  • cognito-idp:DescribeUserPool
  • cognito-idp:UpdateUserPool
  • wafv2:AssociateWebACL
  • wafv2:GetWebACL
  • wafv2:GetWebACLForResource
  • wafv2:ListWebACLs

If creating a new Web ACL:

  • wafv2:CreateWebACL
  • wafv2:CreateRule

AWS Console Method

  1. Open the Amazon Cognito console at https://console.aws.amazon.com/cognito
  2. Select "User Pools" from the left navigation
  3. Click on the User Pool you want to protect
  4. Go to the "App integration" tab
  5. Scroll down to the "AWS WAF" section and click Edit
  6. Enable WAF integration:
    • Toggle "Enable AWS WAF" to On
    • Select an existing regional Web ACL from the dropdown
    • If you don't have a Web ACL, you'll need to create one first (see below)
  7. Click "Save changes"
Creating a Web ACL if you don't have one
  1. Open the AWS WAF console at https://console.aws.amazon.com/wafv2
  2. In the left navigation, select Web ACLs
  3. Make sure you're in the correct region (same as your Cognito User Pool)
  4. Click Create web ACL
  5. Configure the Web ACL:
    • Name: Enter a descriptive name (e.g., cognito-protection-acl)
    • Resource type: Select Regional resources
    • Region: Select the region where your Cognito User Pool exists
  6. Click Next and add rules (recommended):
    • AWS Managed Rules: Add AWSManagedRulesCommonRuleSet for general protection
    • Rate-based rule: Add rate limiting to prevent abuse (e.g., 2000 requests per 5 minutes per IP)
  7. Complete the wizard and create the Web ACL
  8. Return to the Cognito console to associate it
AWS CLI

Step 1: Get your User Pool ARN

aws cognito-idp describe-user-pool \
    --user-pool-id <your-user-pool-id> \
    --region us-east-1 \
    --query 'UserPool.Arn' \
    --output text

Step 2: List available Web ACLs

aws wafv2 list-web-acls \
    --scope REGIONAL \
    --region us-east-1 \
    --query 'WebACLs[*].[Name,ARN]' \
    --output table

Step 3: Associate the Web ACL with your User Pool

aws wafv2 associate-web-acl \
    --web-acl-arn <your-web-acl-arn> \
    --resource-arn <your-cognito-user-pool-arn> \
    --region us-east-1

Example with actual ARNs:

aws wafv2 associate-web-acl \
    --web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/a1b2c3d4 \
    --resource-arn arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_ABC123xyz \
    --region us-east-1
CloudFormation

This template creates a Web ACL association between an existing WAF Web ACL and a Cognito User Pool.

AWSTemplateFormatVersion: '2010-09-09'
Description: Associate WAF Web ACL with Cognito User Pool

Parameters:
  CognitoUserPoolArn:
    Type: String
    Description: ARN of the Cognito User Pool to protect
  WebACLArn:
    Type: String
    Description: ARN of the WAF Web ACL to associate

Resources:
  CognitoWAFAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !Ref CognitoUserPoolArn
      WebACLArn: !Ref WebACLArn

Outputs:
  AssociationId:
    Description: The ID of the WAF Web ACL association
    Value: !Ref CognitoWAFAssociation

Deploy the template:

aws cloudformation deploy \
    --template-file cognito-waf-association.yaml \
    --stack-name cognito-waf-protection \
    --parameter-overrides \
        CognitoUserPoolArn=arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_ABC123xyz \
        WebACLArn=arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/a1b2c3d4 \
    --region us-east-1
Terraform
variable "cognito_user_pool_arn" {
  description = "ARN of the Cognito User Pool to protect"
  type        = string
}

variable "web_acl_arn" {
  description = "ARN of the WAF Web ACL to associate"
  type        = string
}

resource "aws_wafv2_web_acl_association" "cognito_waf" {
  resource_arn = var.cognito_user_pool_arn
  web_acl_arn  = var.web_acl_arn
}

output "association_id" {
  description = "The ID of the WAF Web ACL association"
  value       = aws_wafv2_web_acl_association.cognito_waf.id
}

Example usage:

module "cognito_waf_protection" {
  source = "./modules/cognito-waf"

  cognito_user_pool_arn = "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_ABC123xyz"
  web_acl_arn           = "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-web-acl/a1b2c3d4"
}

Verification

To confirm the WAF Web ACL is properly associated:

  1. In the AWS Console:

    • Go to Cognito > User Pools > select your pool
    • Navigate to "App integration" tab
    • Check the "AWS WAF" section shows your Web ACL name

  2. The check should pass when you run Prowler again:

    prowler aws --check cognito_user_pool_waf_acl_attached
CLI verification
aws wafv2 get-web-acl-for-resource \
    --resource-arn <your-cognito-user-pool-arn> \
    --region us-east-1

If a Web ACL is associated, you'll see the Web ACL details. If not, the response will be empty or show null for the WebACL field.

Additional Resources

Notes

  • Regional requirement: The Web ACL must be a regional resource (not CloudFront/global) and in the same AWS region as your Cognito User Pool.
  • Propagation delay: After associating a Web ACL, changes may take a few seconds to a few minutes to fully propagate.
  • Cost consideration: AWS WAF charges per Web ACL and per million requests inspected. Review AWS WAF pricing before implementation.
  • Rule compatibility: Some WAF rules may not be compatible with Cognito endpoints. Test your configuration to ensure legitimate authentication requests aren't blocked.
  • Recommended rules: Consider using AWS Managed Rules like AWSManagedRulesCommonRuleSet and AWSManagedRulesBotControlRuleSet for baseline protection.