Resolution
----------

To protect your Cognito user pool with AWS WAF, create a web access control list (web ACL), and then associate it with your user pool.

### Configure the Cognito user pool for AWS WAF

1. Open the [Cognito console](https://console.aws.amazon.com/cognito/v2/home).
2. In the navigation pane, choose **User pools**.
3. Select your user pool.
4. Under **Security**, choose **AWS WAF**.
5. Choose **Edit**, and then select **Use AWS WAF with your user pool - Recommended**.
6. Choose **Create web ACL in AWS WAF**.

### Configure the web ACL

1. Open the [AWS WAF console](https://console.aws.amazon.com/wafv2/homev2/web-acls/new), and then enter the following information:  
    For **Resource type**, choose **Regional resources**.  
    Select your user pool's AWS Region.  
    For **Name**, enter a name for your web ACL.  
    For **CloudWatch metric name**, enter a name for the metric.  
    For **Description**, enter an optional description.
2. Under **Associated AWS Resources**, choose **Add AWS resources**.
3. Choose **Amazon Cognito user pool** as the resource type, and then select your user pool.
4. Choose **Add**.
5. (Optional) You can [specify the body inspection size quota](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-setting-body-inspection-limit.html).
6. Choose **Next**.
7. Under **Add rules**, choose the type of rule that you want to apply:  
    For managed rules, choose **Add managed rule groups**, and then select an option, such as the [Amazon IP reputation list managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html#aws-managed-rule-groups-ip-rep-amazon).  
    For custom [WAF rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html) and [rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html), choose **Add my own rules and rule groups**.
8. (Optional) Configure the [default web ACL action](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html) and [token domain list](https://docs.aws.amazon.com/waf/latest/developerguide/waf-tokens-domains.html).
9. Choose **Next**.
10. (Optional) If you have more than one rule, then you can [set the priorities of your rules](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-processing-order.html).
11. Choose **Next**.
12. (Optional) On the Configure metrics and sampling page, you can view [Amazon CloudWatch metrics](https://docs.aws.amazon.com/waf/latest/developerguide/waf-metrics.html#waf-metrics-usage) and [a sample of web requests](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing-view-sample.html).
13. Choose **Next**.

### Associate the web ACL with your Cognito user pool

1. Review your configuration, and then choose **Create web ACL**.
2. Open the [Cognito console](https://console.aws.amazon.com/cognito/v2/home), and then choose **Refresh** next to **View Web ACL**.
3. Select the WAF web ACL that you created.
4. Choose **Save changes**.

Related information
-------------------

[Associate an AWS WAF web ACL with a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html)

[Protect your Amazon Cognito user pool with AWS WAF](https://aws.amazon.com/jp/blogs/security/protect-your-amazon-cognito-user-pool-with-aws-waf/)

I want to use AWS WAF to protect my Amazon Cognito user pool.

Configure AWS WAF to protect my Amazon Cognito user pool

How do I configure AWS WAF to protect my Amazon Cognito user pool?

Security, Identity, & Compliance

How do I configure AWS WAF to protect my Amazon Cognito user pool?

Resolution

Configure the Cognito user pool for AWS WAF

Configure the web ACL

Associate the web ACL with your Cognito user pool

Related information

Relevant content