Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito Domain name Private Access to URL

0

Hello all,

I'm new here, sorry if this is not the right place. I'll start from the beginning I'm a cloud engineer I just started, it's my first tech job.

I have been tasked to somehow make the domain name private access, I mean the URL https://<Your domain name>.auth.us-west-2.amazoncognito.com I'm not sure how can I resolve this problem. Are there any IAM roles I can use?

Please Help me as I have been everywhere and I didn't find anything.

Many thanks in advance !!

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon Cognito Federated IdentitiesIAM PoliciesAmazon Cognito User PoolsAWS Lambda
Language
English
asked 4 years ago3K views
3 Answers
2

Hi,

Cognito domain is public and it is not possible currently to make it private or in-accessible from the internet. This domain is created to host the oauth2 endpoints and cognito hosted UI for your public facing web and mobile applications to allow users to sign-up and sign-in.

AWS
EXPERT
answered 4 years ago
2

This is a common ask from customers. It's important to explain that the AWS-managed CloudFront distribution that provides custom domains to Cognito user pools, adds no security from a layer 7 perspective - it makes no difference to your security posture whether a user is able to access your user pool via 'custom.example.com' (via CloudFront), or '<Your domain name>.auth.us-west-2.amazoncognito.com' (direct to Cognito service endpoint). CloudFront exists in your architecture purely to present the SSL/TLS certificate for your vanity domain e.g. 'custom.example.com' to the client, rather than the SSL/TLS certificate of the amazon-owned sub-domain of 'amazoncognito.com'.

What is relevant to your security posture is to have an AWS WAF WebACL associated with your Cognito endpoint and having that WebACL be configured with rate-based rules, as discussed in Protect your Amazon Cognito user pool with AWS WAF , as well as IP Reputation groups and anti-DDoS layer 7 AMR.

In addition you can create an allow-list rule using an IPSet 'trusted_ips' that contains your corporate egress IPs or other trusted list and then create rule if NOT requests originates from ipset 'trusted_ips' action 'BLOCK'.

It's a mistake to think that you can't use WAF rules based on client IP due to the presence of CloudFront, as Cognito performs client IP 'magic' to ensure that WAF at the Cognito endpoint is presented, in the 'clientIP' field, with the IP of the client connecting to the CloudFront distribution.

If your endpoint is not acting as a federated iDP you can perform some basic checks in WAF to see whether request has come from CloudFront, like the presence of the 'x-amz-cf-id' header - while this is easily bypassed by a bad actor, it prevents 'accidental' use of the non-vanity domain.

AWS
EXPERT
answered 8 months ago
0

Hi,

Here you do not need to manage roles at all, it's about how to personalize the private UI hosting, here you have all the details you may need: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

Best,

AWS
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content