<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cognito Identity Pools - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cognito-identity-pools/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 08:29:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cognito-identity-pools/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS Cognito Unauthenticated Identity Pool Credentials Issued</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-cognito-unauth-creds/</link><pubDate>Fri, 17 Jul 2026 08:29:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-cognito-unauth-creds/</guid><description>This threat involves adversaries obtaining temporary AWS credentials from a misconfigured Cognito Identity Pool without authentication. If a Cognito Identity Pool is set to allow unauthenticated (guest) access and its associated unauthenticated IAM role has overly broad permissions, attackers can discover the pool ID, call `GetId`, and then `GetCredentialsForIdentity` to acquire AWS credentials. This grants them unauthorized access to AWS resources and sensitive data, bypassing typical authentication mechanisms.</description><content:encoded><![CDATA[<p>Adversaries are targeting misconfigured AWS Cognito Identity Pools to obtain temporary AWS credentials without authentication. This specific threat leverages a design feature intended for legitimate anonymous app access, <code>AllowUnauthenticatedIdentities</code>, which, when combined with an overpermissioned unauthenticated IAM role, creates a significant security vulnerability. Attackers discover Cognito Identity Pool IDs, often exposed in public resources like mobile app binaries or web application JavaScript, and then programmatically request guest identities and subsequent temporary AWS credentials using API calls such as <code>GetId</code> and <code>GetCredentialsForIdentity</code>. If successful, these credentials grant unauthorized access to AWS resources, bypassing standard authentication mechanisms. This misconfiguration is critical because it provides a public, unauthenticated pathway to real AWS credentials, allowing adversaries to access sensitive data or manipulate cloud infrastructure. This Elastic detection rule focuses on identifying the initial issuance of such unauthenticated credentials from a previously unobserved Cognito Identity Pool, flagging potential exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Discovery</strong>: An adversary identifies a target AWS Cognito Identity Pool ID. This ID is often exposed in publicly accessible client-side code, such as mobile application binaries, web application JavaScript files, or inadvertently committed to public source code repositories.</li>
<li><strong>Initial Guest Identity Acquisition</strong>: The adversary makes an unauthenticated API call to <code>cognito-identity.amazonaws.com</code>'s <code>GetId</code> endpoint, passing the discovered Identity Pool ID to obtain a unique guest identity.</li>
<li><strong>Temporary Credential Request</strong>: With the guest identity in hand, the adversary then makes a subsequent unauthenticated API call to the <code>GetCredentialsForIdentity</code> endpoint, providing the guest identity.</li>
<li><strong>Credential Issuance</strong>: If the Cognito Identity Pool is configured with <code>AllowUnauthenticatedIdentities</code> enabled and has an associated unauthenticated IAM role, the AWS service successfully issues temporary AWS access keys, secret keys, and a session token to the adversary.</li>
<li><strong>AWS API Access</strong>: The adversary uses these newly acquired temporary AWS credentials to authenticate and make further API calls to other AWS services, such as S3, EC2, or IAM.</li>
<li><strong>Privilege Escalation / Data Exfiltration</strong>: Depending on the permissions granted to the Cognito Identity Pool's unauthenticated IAM role, the adversary may gain unauthorized access to sensitive data (e.g., S3 buckets), manipulate cloud resources (e.g., launch EC2 instances), or even attempt further privilege escalation within the AWS environment.</li>
<li><strong>Impact</strong>: This unauthenticated access can lead to data exfiltration, service disruption, resource hijacking, or the establishment of persistent backdoors, ultimately compromising the confidentiality, integrity, or availability of the AWS cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of a misconfigured AWS Cognito Identity Pool can lead to severe consequences. Attackers gain unauthorized and unauthenticated access to AWS resources, potentially enabling data exfiltration from storage services like S3, unauthorized modifications to cloud infrastructure, or the deployment of malicious resources. The impact is particularly high when the unauthenticated IAM role is excessively permissive, allowing broad control over the AWS account. This misconfiguration creates a direct, public pathway for adversaries to obtain legitimate AWS credentials, bypassing traditional authentication and authorization controls, and placing the entire affected AWS environment at risk of compromise, including financial impact from resource abuse or regulatory penalties from data breaches.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail data events for <code>AWS::Cognito::IdentityPool</code> resources, specifically capturing <code>GetCredentialsForIdentity</code>, <code>GetId</code>, <code>GetOpenIdToken</code>, <code>GetOpenIdTokenForDeveloperIdentity</code>, and <code>UnlinkIdentity</code> actions.</li>
<li>Deploy the &quot;Detect AWS Cognito Unauthenticated Identity Pool Credentials Issued&quot; Sigma rule to your SIEM to alert on the initial occurrence of unauthenticated credential issuance.</li>
<li>Review the IAM policies attached to unauthenticated roles of all Cognito Identity Pools; ensure they adhere to the principle of least privilege, granting only the absolute minimum permissions required for legitimate anonymous use.</li>
<li>If unauthenticated access is not required for an Identity Pool, immediately disable the <code>AllowUnauthenticatedIdentities</code> setting within its configuration.</li>
<li>For any alerts from the Sigma rule, investigate the <code>source.ip</code>, <code>user_agent.original</code>, and <code>source.geo</code> fields in CloudTrail logs to determine the origin of the <code>GetCredentialsForIdentity</code> call and search for subsequent API calls made with the obtained credentials.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>cognito</category><category>misconfiguration</category><category>credential-access</category><category>cloud-security</category></item></channel></rss>