H3-2022-0076¶

Unauthenticated AWS Cognito Role

Description¶

An AWS Cognito identity pool is allowing unauthenticated users to retrieve IAM role credentials.

Impact¶

Anyone with access to the Cognito Identity Pool ID can generate AWS keys for the Identity Pool's baseline ('unauthenticated') IAM role. An attacker could potentially use these AWS keys to read sensitive information or perform destructive actions, depending on the role's permissions.

References¶

• Amazon Cognito Security Best Practices
• Using Identity Pools
• MITRE ATT&CK Technique: T1548.005: Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access