Enable WAF for Cognito
This was last updated with the following packages:
System: OS: macOS 14.7 CPU: (10) arm64 Apple M1 Pro Memory: 161.73 MB / 32.00 GB Shell: /opt/homebrew/bin/fishBinaries: Node: 22.8.0 - ~/.local/state/fnm_multishells/7548_1730243214662/bin/node Yarn: undefined - undefined npm: 10.8.2 - ~/.local/state/fnm_multishells/7548_1730243214662/bin/npm pnpm: 9.12.2 - ~/.local/state/fnm_multishells/7548_1730243214662/bin/pnpmNPM Packages: @aws-amplify/auth-construct: Not Found @aws-amplify/backend: 1.5.2 @aws-amplify/backend-auth: Not Found @aws-amplify/backend-cli: 1.3.0 @aws-amplify/backend-data: Not Found @aws-amplify/backend-deployer: Not Found @aws-amplify/backend-function: Not Found @aws-amplify/backend-output-schemas: Not Found @aws-amplify/backend-output-storage: Not Found @aws-amplify/backend-secret: Not Found @aws-amplify/backend-storage: Not Found @aws-amplify/cli-core: Not Found @aws-amplify/client-config: Not Found @aws-amplify/deployed-backend-client: Not Found @aws-amplify/form-generator: Not Found @aws-amplify/model-generator: Not Found @aws-amplify/platform-core: Not Found @aws-amplify/plugin-types: Not Found @aws-amplify/sandbox: Not Found @aws-amplify/schema-generator: Not Found aws-amplify: 6.7.0 aws-cdk: 2.164.1 aws-cdk-lib: 2.164.1 typescript: 5.6.3AWS environment variables: AWS_PROFILE = josef AWS_REGION = us-east-1 AWS_STS_REGIONAL_ENDPOINTS = regional AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1 AWS_SDK_LOAD_CONFIG = 1No CDK environment variablesFiles
import * as wafv2 from "aws-cdk-lib/aws-wafv2"import { Construct } from "constructs"
export type AuthWafProps = { userPoolArn: string}
export class AuthWaf extends Construct { constructor(scope: Construct, id: string, props: AuthWafProps) { super(scope, id)
const webAcl = new wafv2.CfnWebACL(this, "WebACL", { scope: "REGIONAL", defaultAction: { allow: {}, }, rules: [ { // Provides protection against common web exploits like SQL injection and cross-site scripting (XSS) name: "AWSManagedRulesCommonRuleSet", priority: 1, overrideAction: { none: {} }, statement: { managedRuleGroupStatement: { vendorName: "AWS", name: "AWSManagedRulesCommonRuleSet", }, }, visibilityConfig: { sampledRequestsEnabled: true, cloudWatchMetricsEnabled: true, metricName: "AWSManagedRulesCommonRuleSet", }, }, { // Blocks requests from known malicious IP addresses name: "AWSManagedRulesAmazonIpReputationList", priority: 2, overrideAction: { none: {} }, statement: { managedRuleGroupStatement: { vendorName: "AWS", name: "AWSManagedRulesAmazonIpReputationList", }, }, visibilityConfig: { sampledRequestsEnabled: true, cloudWatchMetricsEnabled: true, metricName: "AWSManagedRulesAmazonIpReputationList", }, }, { // helps protect against known malicious inputs and invalid patterns that attackers commonly use name: "AWSManagedRulesKnownBadInputsRuleSet", priority: 3, overrideAction: { none: {} }, statement: { managedRuleGroupStatement: { vendorName: "AWS", name: "AWSManagedRulesKnownBadInputsRuleSet", }, }, visibilityConfig: { sampledRequestsEnabled: true, cloudWatchMetricsEnabled: true, metricName: "AWSManagedRulesKnownBadInputsRuleSet", }, }, { // block IPs that make more than 2000 requests in 5 minutes, which helps prevent brute force attacks name: "RateLimitRule", priority: 4, action: { block: {} }, statement: { rateBasedStatement: { limit: 2000, aggregateKeyType: "IP", }, }, visibilityConfig: { sampledRequestsEnabled: true, cloudWatchMetricsEnabled: true, metricName: "RateLimit", }, }, ], visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: "WebACL", sampledRequestsEnabled: true, }, })
new wafv2.CfnWebACLAssociation(this, "WebACLAssociation", { resourceArn: props.userPoolArn, webAclArn: webAcl.attrArn, }) }}