AWS cognito medium security documentation change
Summary
Updated documentation to reflect expanded AWS WAF coverage for managed login endpoints, removed references to classic hosted UI limitations, added guidance about rule conditions matching first requests to authorize endpoint, and updated CAPTCHA error handling references.
Security assessment
The changes clarify security configurations for AWS WAF integration with managed login, addressing potential misconfigurations that could leave endpoints unprotected. Specific security evidence includes guidance about CAPTCHA errors in TOTP MFA flows and expanded WAF coverage to protect managed login endpoints.
Diff
diff --git a/cognito/latest/developerguide/user-pool-waf.md b/cognito/latest/developerguide/user-pool-waf.md index 91cdbd561..c36548c65 100644 --- a//cognito/latest/developerguide/user-pool-waf.md +++ b//cognito/latest/developerguide/user-pool-waf.md @@ -7 +7 @@ Things to know about AWS WAF web ACLs and Amazon CognitoAssociating a web ACL wi -# Associating an AWS WAF web ACL with a user pool +# Associate an AWS WAF web ACL with a user pool @@ -9 +9 @@ Things to know about AWS WAF web ACLs and Amazon CognitoAssociating a web ACL wi -AWS WAF is a web application firewall. With an AWS WAF web access control list (web ACL), you can protect your user pool from unwanted requests to your classic hosted UI and Amazon Cognito API service endpoints. A web ACL gives you fine-grained control over all of the HTTPS web requests that your user pool responds to. For more information about AWS WAF web ACLs, see [Managing and using a web access control list (web ACL)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the _AWS WAF Developer Guide_. +AWS WAF is a web application firewall. With an AWS WAF web access control list (web ACL), you can protect your user pool from unwanted requests to your classic hosted UI, managed login, and Amazon Cognito API service endpoints. A web ACL gives you fine-grained control over all of the HTTPS web requests that your user pool responds to. For more information about AWS WAF web ACLs, see [Managing and using a web access control list (web ACL)](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html) in the _AWS WAF Developer Guide_. @@ -15,10 +14,0 @@ When you have an AWS WAF web ACL associated with a user pool, Amazon Cognito for - * Currently, web ACL rules only apply to requests to user pool domains with the hosted UI (classic) branding version. When you set `ManagedLoginVersion` to `2`, or your **Branding version** to **Managed login** , Amazon Cognito doesn't enforce rules on your managed login pages. - -To change your branding version to be compatible with AWS WAF web ACLs, do one of the following. This change affects your the appearance and capabilities of your login pages. - - * In a [CreateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html) or [UpdateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html) API request, set `ManagedLoginVersion` to `1`. - - * From the **Domain** menu of your user pool in the Amazon Cognito console, edit your [prefix or classic domain](./cognito-user-pools-assign-domain.html) and set **Managed login version** to **Hosted UI (classic)**. - -For more information about branding versions, see [User pool managed login](./cognito-user-pools-managed-login.html). - @@ -26,0 +17,2 @@ For more information about branding versions, see [User pool managed login](./co + * The rule conditions in your web ACL must match users' **first** request to managed login. Their first request is typically to the [Authorize endpoint](./authorization-endpoint.html). The authorize endpoint always redirects requests; don't configure URL path matching in your web ACL rules. + @@ -31 +23 @@ For more information about branding versions, see [User pool managed login](./co - * You can associate one web ACL with a user pool. + * You can associate one web ACL with each user pool. @@ -37 +29 @@ For more information about branding versions, see [User pool managed login](./co - * When you have an AWS WAF web ACL associated with a user pool, and a rule in your web ACL presents a CAPTCHA, this can cause an unrecoverable error in classic hosted UI TOTP registration. To create a rule that has a CAPTCHA action and doesn't affect classic hosted UI TOTP, see [Configuring your AWS WAF web ACL for managed login TOTP MFA](./user-pool-settings-mfa-totp.html#totp-waf). + * When you have an AWS WAF web ACL associated with a user pool, and a rule in your web ACL presents a CAPTCHA, this can cause an unrecoverable error in managed login TOTP registration. To create a rule that has a CAPTCHA action and doesn't affect managed login TOTP, see [Configuring your AWS WAF web ACL for managed login TOTP MFA](./user-pool-settings-mfa-totp.html#totp-waf). @@ -44 +36 @@ AWS WAF inspects requests to the following endpoints. -**Classic hosted UI** +**Managed login and the classic hosted UI** @@ -60 +52 @@ Your options to customize the error response depends on the way you make an API - * You can customize the error code and response body of classic hosted UI requests. You can only present a CAPTCHA for your user to solve in the classic hosted UI. + * You can customize the error code and response body of managed login requests. You can only present a CAPTCHA for your user to solve in managed login. @@ -148 +140 @@ When you set a rule action to **Count** in your web ACL, AWS WAF adds the reques -You can also configure AWS WAF to log request headers to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose. You can identify the Amazon Cognito requests that you make with the user pools API by the `x-amzn-cognito-client-id` and `x-amzn-cognito-operation-name`. Hosted UI requests only include the `x-amzn-cognito-client-id` header. For more information, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the _AWS WAF Developer Guide_. +You can also configure AWS WAF to log request headers to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Data Firehose. You can identify the Amazon Cognito requests that you make with the user pools API by the `x-amzn-cognito-client-id` and `x-amzn-cognito-operation-name`. Managed login requests only include the `x-amzn-cognito-client-id` header. For more information, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the _AWS WAF Developer Guide_.