Profile Applicability:

  • Level 1

Description:

Amazon Cognito is a managed service that provides user authentication, authorization, and user management for web and mobile applications. AWS WAF (Web Application Firewall) is a service that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. This SOP ensures that Amazon Cognito User Pools are protected by an AWS WAF Web ACL, which helps prevent malicious traffic and attacks, such as SQL injection and cross-site scripting (XSS), from reaching your Cognito authentication endpoints.

Rationale:

  • Security: Associating a WAF Web ACL with Cognito User Pools adds an additional layer of protection against malicious traffic and attacks, ensuring that only legitimate users can access authentication services.

  • Compliance: Many compliance frameworks (such as PCI-DSS, SOC 2, and HIPAA) require web application security controls like WAF to protect sensitive user data, including authentication credentials.

  • Traffic Control: WAF allows fine-grained control over the types of traffic that can reach the Cognito User Pools, helping reduce the risk of attacks.

Impact:

Pros:

  • Enhanced Protection: Adds an additional security layer, protecting the authentication flow from common web application attacks.

  • Scalability: AWS WAF can scale automatically to handle large volumes of traffic without needing manual intervention.

  • Compliance: Helps meet regulatory requirements for securing web applications.

Cons:

  • Configuration Overhead: Associating Cognito User Pools with a WAF Web ACL requires proper configuration and ongoing management of WAF rules.

  • Performance Impact: Some performance overhead may be introduced due to the WAF inspection of incoming requests, although this is usually minimal.

Default Value:

By default, Amazon Cognito does not have WAF Web ACL associations. You must manually configure and associate a Web ACL with your Cognito User Pool.

Pre-requisite:

  • AWS IAM Permissions:

    • waf-regional:AssociateWebACL

    • waf-regional:GetWebACL

    • cognito-idp:DescribeUserPool

    • cognito-idp:UpdateUserPool

  • AWS WAF already configured with a Web ACL.

  • AWS CLI installed and configured.

  • Ensure the Cognito User Pool is set up and available.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select the User Pool you want to check.

  4. In the User Pool Settings, ensure there is an associated Web ACL listed under Security or Access Control.

  5. Verify that the WAF Web ACL is active and correctly configured to protect the User Pool authentication endpoints.

    • If no Web ACL is associated, follow the steps below to associate one.

Using AWS CLI:

  1. To list the Web ACLs associated with Cognito, run:

    aws cognito-idp describe-user-pool --user-pool-id <user-pool-id> --query 'UserPool.WebACLId'

  2. If no Web ACL is listed, use the following to associate a Web ACL with the Cognito User Pool:

    aws waf-regional associate-web-acl --web-acl-id <web-acl-id> --resource-arn <user-pool-arn>

  3. Verify that the Web ACL is associated:

    aws waf-regional get-web-acl --web-acl-id <web-acl-id>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select the User Pool you want to configure.

  3. Navigate to User Pool Settings > Security or Access Control.

  4. Under Web Application Firewall (WAF), ensure that the Web ACL is associated.

    • If it’s not, select Associate Web ACL and choose an existing WAF Web ACL.

  5. Save changes and verify that the WAF Web ACL is correctly applied to the Cognito User Pool.

Using AWS CLI:

  1. To associate the Web ACL with the Cognito User Pool, use the following command:

    aws waf-regional associate-web-acl --web-acl-id <web-acl-id> --resource-arn <user-pool-arn>

  2. After associating, verify the Web ACL by running:

    aws waf-regional get-web-acl --web-acl-id <web-acl-id>

Backout Plan:

Using AWS Console:

  1. If the association of Web ACL with the User Pool causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the User Pool.

  3. Under the App Client Settings, go to the Web ACL Association section and remove the association.

  4. Save the changes.

Using AWS CLI:

  1. To disassociate the Web ACL from the User Pool, run the following command:

    aws cognito-idp update-user-pool --user-pool-id <USER_POOL_ID> --no-web-acl-arn --region <REGION>

  2. Verify that the Web ACL has been disassociated by describing the User Pool again:

    aws cognito-idp describe-user-pool --user-pool-id <USER_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.