Skip to content

Article by Wes Ladd.

Overpermissioned AWS Cognito Identity Pools

A significant security flaw in applications using AWS Cognito for identity management can occur when identity pools are given excessive privileges. Excessive privileges in an Identity Pool mean that the identities (users) associated with that pool can perform actions beyond what is necessary for their role in the application.

If an attacker successfully authenticates with the AWS Cognito service (such as through the unintended self-signup, and the corresponding identity pool has excessive privileges, the attacker can potentially perform actions that should be restricted. This might include accessing sensitive data, manipulating services, and, in some cases, privilege escalation.

Sometimes, even unauthenticated (or anonymous users) can perform actions that should be restricted. This is because AWS Cognito allows unauthenticated users to be associated with an identity pool. If the identity pool has excessive privileges, unauthenticated users can perform actions that should be restricted.

How it works

The process usually involves two key steps:

Identity Retrieval:

This starts with an attacker successfully signing up or logging in to a vulnerable Cognito user pool. As we discussed in our previous post, this might be due to misconfigured access controls allowing unintended self-signup, or through credential stuffing, password spraying or other attack vectors against user accounts.

When an attacker successfully authenticates, they get a set of identity tokens. The ID token, in particular, is a JWT (JSON Web Token) that contains claims about the identity of the authenticated user.

Excessive Privileges Exploitation:

The next step involves the attacker using this ID token to get temporary AWS credentials from an associated Cognito Identity Pool. The Identity Pool maps identities to IAM roles and provides them with temporary AWS credentials to access AWS services.

However, if the IAM roles associated with the Identity Pool have excessive permissions, the temporary AWS credentials that the attacker receives will allow them to perform actions that they should not be allowed to. Depending on the assigned permissions, an attacker could potentially read sensitive data from an S3 bucket, manipulate a DynamoDB table, invoke Lambda functions, or even perform privilege escalation to gain administrative rights.

Exploitation

The following commands can be used to get the AWS credentials, assuming you have the ID token for a valid user:

aws cognito-identity get-id --identity-pool-id {identity_pool_id} --account-id {account_id} --logins {login_provider}:{id_token}
and then: 
aws cognito-identity get-credentials-for-identity --identity-id {identity_id} --logins {login_provider}:{id_token}

Impact

The severity of this vulnerability depends on the permissions associated with the Identity Pool. In the worst case, an attacker could perform actions that are equivalent to a full AWS account takeover. This could lead to data leakage, unauthorized modification of data, and potential compliance violations.

However, if Identity Pools are configured in accordance with the principle of least privilege, the impact of this vulnerability is significantly reduced. In this case, the attacker would only be able to perform actions that are allowed by the associated IAM roles. This might include accessing data that they should not be able to access, but it would not allow them to perform privilege escalation and actions that are not allowed directly by the IAM roles.

References

Rhino Security Labs - CloudGoat
TrustOnCloud - CloudGoat Cognito Walkthrough
SecForce
SecForce AWS-Cognito-Finder
Padok.fr