{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cognito-identity-pools/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cognito Identity Pools"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","cognito","misconfiguration","credential-access","cloud-security"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eAdversaries are targeting misconfigured AWS Cognito Identity Pools to obtain temporary AWS credentials without authentication. This specific threat leverages a design feature intended for legitimate anonymous app access, \u003ccode\u003eAllowUnauthenticatedIdentities\u003c/code\u003e, which, when combined with an overpermissioned unauthenticated IAM role, creates a significant security vulnerability. Attackers discover Cognito Identity Pool IDs, often exposed in public resources like mobile app binaries or web application JavaScript, and then programmatically request guest identities and subsequent temporary AWS credentials using API calls such as \u003ccode\u003eGetId\u003c/code\u003e and \u003ccode\u003eGetCredentialsForIdentity\u003c/code\u003e. If successful, these credentials grant unauthorized access to AWS resources, bypassing standard authentication mechanisms. This misconfiguration is critical because it provides a public, unauthenticated pathway to real AWS credentials, allowing adversaries to access sensitive data or manipulate cloud infrastructure. This Elastic detection rule focuses on identifying the initial issuance of such unauthenticated credentials from a previously unobserved Cognito Identity Pool, flagging potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Discovery\u003c/strong\u003e: An adversary identifies a target AWS Cognito Identity Pool ID. This ID is often exposed in publicly accessible client-side code, such as mobile application binaries, web application JavaScript files, or inadvertently committed to public source code repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Guest Identity Acquisition\u003c/strong\u003e: The adversary makes an unauthenticated API call to \u003ccode\u003ecognito-identity.amazonaws.com\u003c/code\u003e's \u003ccode\u003eGetId\u003c/code\u003e endpoint, passing the discovered Identity Pool ID to obtain a unique guest identity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTemporary Credential Request\u003c/strong\u003e: With the guest identity in hand, the adversary then makes a subsequent unauthenticated API call to the \u003ccode\u003eGetCredentialsForIdentity\u003c/code\u003e endpoint, providing the guest identity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Issuance\u003c/strong\u003e: If the Cognito Identity Pool is configured with \u003ccode\u003eAllowUnauthenticatedIdentities\u003c/code\u003e enabled and has an associated unauthenticated IAM role, the AWS service successfully issues temporary AWS access keys, secret keys, and a session token to the adversary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAWS API Access\u003c/strong\u003e: The adversary uses these newly acquired temporary AWS credentials to authenticate and make further API calls to other AWS services, such as S3, EC2, or IAM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Data Exfiltration\u003c/strong\u003e: Depending on the permissions granted to the Cognito Identity Pool's unauthenticated IAM role, the adversary may gain unauthorized access to sensitive data (e.g., S3 buckets), manipulate cloud resources (e.g., launch EC2 instances), or even attempt further privilege escalation within the AWS environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: This unauthenticated access can lead to data exfiltration, service disruption, resource hijacking, or the establishment of persistent backdoors, ultimately compromising the confidentiality, integrity, or availability of the AWS cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of a misconfigured AWS Cognito Identity Pool can lead to severe consequences. Attackers gain unauthorized and unauthenticated access to AWS resources, potentially enabling data exfiltration from storage services like S3, unauthorized modifications to cloud infrastructure, or the deployment of malicious resources. The impact is particularly high when the unauthenticated IAM role is excessively permissive, allowing broad control over the AWS account. This misconfiguration creates a direct, public pathway for adversaries to obtain legitimate AWS credentials, bypassing traditional authentication and authorization controls, and placing the entire affected AWS environment at risk of compromise, including financial impact from resource abuse or regulatory penalties from data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail data events for \u003ccode\u003eAWS::Cognito::IdentityPool\u003c/code\u003e resources, specifically capturing \u003ccode\u003eGetCredentialsForIdentity\u003c/code\u003e, \u003ccode\u003eGetId\u003c/code\u003e, \u003ccode\u003eGetOpenIdToken\u003c/code\u003e, \u003ccode\u003eGetOpenIdTokenForDeveloperIdentity\u003c/code\u003e, and \u003ccode\u003eUnlinkIdentity\u003c/code\u003e actions.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Detect AWS Cognito Unauthenticated Identity Pool Credentials Issued\u0026quot; Sigma rule to your SIEM to alert on the initial occurrence of unauthenticated credential issuance.\u003c/li\u003e\n\u003cli\u003eReview the IAM policies attached to unauthenticated roles of all Cognito Identity Pools; ensure they adhere to the principle of least privilege, granting only the absolute minimum permissions required for legitimate anonymous use.\u003c/li\u003e\n\u003cli\u003eIf unauthenticated access is not required for an Identity Pool, immediately disable the \u003ccode\u003eAllowUnauthenticatedIdentities\u003c/code\u003e setting within its configuration.\u003c/li\u003e\n\u003cli\u003eFor any alerts from the Sigma rule, investigate the \u003ccode\u003esource.ip\u003c/code\u003e, \u003ccode\u003euser_agent.original\u003c/code\u003e, and \u003ccode\u003esource.geo\u003c/code\u003e fields in CloudTrail logs to determine the origin of the \u003ccode\u003eGetCredentialsForIdentity\u003c/code\u003e call and search for subsequent API calls made with the obtained credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T08:29:50Z","date_published":"2026-07-17T08:29:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-cognito-unauth-creds/","summary":"This threat involves adversaries obtaining temporary AWS credentials from a misconfigured Cognito Identity Pool without authentication. If a Cognito Identity Pool is set to allow unauthenticated (guest) access and its associated unauthenticated IAM role has overly broad permissions, attackers can discover the pool ID, call `GetId`, and then `GetCredentialsForIdentity` to acquire AWS credentials. This grants them unauthorized access to AWS resources and sensitive data, bypassing typical authentication mechanisms.","title":"AWS Cognito Unauthenticated Identity Pool Credentials Issued","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-cognito-unauth-creds/"}],"language":"en","title":"CraftedSignal Threat Feed - Cognito Identity Pools","version":"https://jsonfeed.org/version/1.1"}