Adding WAF to sit in front of cognito for additional security (#139738)

Enterprise-CMCS · Aug 12, 2024 · d46be29 · d46be29
1 parent 24509fe
commit d46be29
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/services/ui-auth/serverless.yml b/services/ui-auth/serverless.yml
@@ -29,6 +29,7 @@ plugins:
   - serverless-bundle
   - serverless-iam-helper
   - serverless-s3-bucket-helper
+  - "@enterprise-cmcs/serverless-waf-plugin"
 
 s3BucketHelper:
   loggingConfiguration:
@@ -39,6 +40,11 @@ custom:
   project: "carts"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
+  wafPlugin:
+    name: ${self:service}-${self:custom.stage}-webacl-waf
+  wafExcludeRules:
+    awsCommon:
+      - "SizeRestrictions_BODY"
   serverlessTerminationProtection:
     stages:
       - main
@@ -115,6 +121,18 @@ resources:
             StringAttributeConstraints:
               MinLength: 0
               MaxLength: 256
+        UserPoolAddOns:
+          AdvancedSecurityMode: ENFORCED
+        UserPoolTags:
+          Name: ${self:custom.stage}-user-pool
+
+    # Associate the WAF Web ACL with the Cognito User Pool
+    CognitoUserPoolWAFAssociation:
+      Type: 'AWS::WAFv2::WebACLAssociation'
+      Properties:
+        ResourceArn: !GetAtt CognitoUserPool.Arn
+        WebACLArn: !GetAtt WafPluginAcl.Arn
+
     CognitoUserPoolClient:
       Type: AWS::Cognito::UserPoolClient
       Properties: