AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-08-13 · Documentation medium

File: cognito/latest/developerguide/user-pool-waf.md

Summary

Updated documentation about AWS WAF web ACL rule behavior for login pages

Security assessment

Clarifies security configuration details for WAF integration but doesn't indicate remediation of a specific security issue

Diff

diff --git a/cognito/latest/developerguide/user-pool-waf.md b/cognito/latest/developerguide/user-pool-waf.md
index 8f1c56c5c..d19ec77d1 100644
--- a//cognito/latest/developerguide/user-pool-waf.md
+++ b//cognito/latest/developerguide/user-pool-waf.md
@@ -23 +23 @@ When you have an AWS WAF web ACL associated with a user pool, Amazon Cognito for
-  * The rule conditions in your web ACL must match users' **first** request to managed login. Their first request is typically to the [Authorize endpoint](./authorization-endpoint.html). The authorize endpoint always redirects requests; don't configure URL path matching in your web ACL rules.
+  * Web ACL rule conditions can only return custom block responses to users' **first** request to a user-interactive managed login page. When subsequent connections match a custom block response condition, they return your custom status code, header, and redirect responses, but a default block message.